Tripwire Manager. User Guide 4.5

Transcription

1 Tripwire Manager User Guide 4.5

2

3 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. All other brand or product names may be trademarks or registered trademarks of their respective companies or organizations. Tripwire, Inc. 326 SW Broadway, 3rd Floor Portland, OR US Toll-free: TRIPWIRE main: fax: [email protected] TW

4

5 About This Guide

6 About This Guide Document List The Tripwire License Authorization Card (LAC) provides the access code used to obtain your Tripwire software license from the Tripwire Licensing website. The Tripwire for Servers Installation Guide describes installation procedures for Tripwire for Servers software. The Tripwire for Servers User Guide describes configuration and operation of Tripwire for Servers software. The Tripwire Manager Quick Start helps you to quickly install and configure Tripwire Manager software. The Tripwire Manager User Guide describes configuration and operation of Tripwire Manager software. The Tripwire Reference Guide contains detailed reference information about Tripwire for Servers. You can access PDF versions of the documents from the docs directory on the Tripwire Manager and Tripwire for Servers CDs. You can access online help from the Tripwire Manager interface. iv Tripwire Manager User Guide

7 About This Guide Document Conventions This Guide uses the following typographic conventions. Bold Italic Constant Sans Serif in regular text indicates FTP and HTTP URLs, and emphasizes important issues. indicates file and directory names. in regular text shows commands and command-line options, and policy file rule attributes, directives, and variables. in examples shows actual user input on the command line. Sans Serif Italic in examples shows variables which should be replaced with context-specific values. W U [options] denotes sections of the text that apply only to Windows installations of Tripwire software. Unless otherwise specified, all references to Windows refer to Windows NT, Windows 2000, and Windows XP Professional. denotes sections of the text that apply only to UNIX or Linux installations of Tripwire software. Unless otherwise specified, all references to UNIX also refer to Linux. the command reference section shows optional command-line arguments in brackets. { } the command reference section shows sets of possible options in braces, separated by the character. Choose only one of the options. Unless otherwise specified, command-line examples assume that the Tripwire bin directory is the current working directory. Tripwire Manager User Guide v

8 About This Guide Support Contact Information For the latest information and support for Tripwire products, visit the Tripwire website or contact Tripwire Technical Support. Tripwire Support Website: Tripwire Technical Support: toll-free: TWSUPPORT (6am-6pm Pacific) phone: General information: international: Tripwire Professional Services Tripwire Professional Services provides flexible service and support to meet your specific technical and deployment needs. If you would like Tripwire software deployment and implementation assistance, or additional training in using Tripwire software products, visit or contact your Tripwire sales representative. Tripwire Educational Services Tripwire Educational Services provides hands-on technical training in installing, configuring, and maintaining Tripwire software. Courses are taught by Tripwire Certified Instructors. For more information about technical training, visit or contact your Tripwire sales representative. vi Tripwire Manager User Guide

9

10

11 Contents Contents About This Guide iii Document List iv Document Conventions v Support Contact Information vi Introduction to Tripwire Manager Introduction to Tripwire Software Tripwire Manager System Architecture How Tripwire for Servers Works Using Multiple Tripwire Managers Controlling Connections with Multiple Managers New Features in this Version Tripwire Manager Interface Tripwire Manager Windows Machine List Creating a Machine List Grouping Machines Network Status Window Action Window Output Window Main Window Selecting Windows to View Configuration File Editor Files Tab Checking Tab Tab Logging Tab SNMP Tab Tripwire Manager User Guide ix

12 Contents Other Tab Policy File Editor Report Viewer Main Pane Detail Pane Report Viewer Icons Object Pane Special Menu Options Manager Menu Machine Menu View Menu Preferences Policy Menu Report Menu Launch Menu Using Tripwire Manager Normal Tripwire Operation Checking Integrity Selective Integrity Check Options Checking Based on Severity Level Checking with Specific Rules Only Checking Specific Objects Only Ignoring Properties Checking Based on Policy File Section Disabling Command Execution Signing Reports ing Integrity Check Reports Checking Based on Matching Wildcard Patterns Scheduling Integrity Checks Viewing Reports Searching Reports Filtering Reports x Tripwire Manager User Guide

13 Contents Exporting a Tripwire Manager Report Events Violations in Reports Working with the Policy File Policy File Terms Editing Policy Files Working with Policy File Variables Working with Rules and Rule Blocks Creating Rule Blocks Creating Rules Updating the Policy File Resolving Violations During a Policy Update Updating the Database File Approving All Violations Approve by Severity Approve by Template Matching Modes Changing Configuration Options Distributing an Integrity System Archiving Files Changing Passphrases Verifying Passphrases Sending Notifications Notification Triggers Configuring Notifications Notify by Send Notify by Execute Command Notify by Archive Report Troubleshooting Registration Problems Connection Problems Network Error Connection Error Tripwire Manager User Guide xi

14 Contents Authentication Failure Resolving Database Update Problems Integrating with Other Applications Launching Manager From External Applications Introduction Command Reference Machine Lists Launch in Context Commands Types of Launch in Context Commands Understanding the Arguments Launch in Context Commands Manager Passphrase Command User and -Reason Commands Approve All Command Approve by Severity Command Approve by Template Command Archive Configuration Files Command Archive Integrity Systems Command Archive Policy Files Command Archive Report Files Command Archive Schedule Files Edit Configuration Command Edit Policy Command Edit Schedule Command Edit Integrity System Command Integrity Check Command Integrity Check Now Command Launch Command Update Database Command Verify Passphrases Command View Reports Command Add Machines Command Select in Report Command xii Tripwire Manager User Guide

15 Contents Launching External Applications Overview Types of Launch Commands General Attributes Command line launch command launch command Working with Launch Commands Creating Launch Commands Executing Launch Commands Modifying Launch Commands Deleting Launch Commands Exporting Launch Commands Importing Launch Commands Launch Contexts Launch Commands Global Context Machine List Context Report List Context Report Context Rule Block Context Update Database Context Violation Context Launch Command Parameters Launch Command Parameter List Launch Command Examples Telnet Ping View Manager Report in Browser Manager Report Send about a Specific Report Appendix: Tripwire Manager Security Measures Tripwire Manager User Guide xiii

16 Contents Cryptographic Signatures Passphrase Management Authentication Key Exchange Changing Authentication Keys Secure Data Communication Index xiv Tripwire Manager User Guide

17

18

19 1 Introduction to Tripwire Manager This chapter introduces Tripwire Manager, which you use to manage multiple installations of Tripwire software across a network. If you are new to Tripwire software or to the concepts of data and network integrity, this chapter gives you the background that you need. If you have previous experience with Tripwire software, read about the new features in this release of Tripwire Manager before moving on.

20 Introduction to Tripwire Manager Introduction to Tripwire Software Tripwire software assures the integrity of critical data and network infrastructure by detecting and reporting change. You configure Tripwire software to monitor the data that is important to you. Based on your configuration, the software creates a baseline snapshot of your data in a known good state. After you establish the baseline, you run regular integrity checks to monitor your data. During an integrity check, Tripwire software compares the current state of data to the baseline and reports a violation for any change it detects. You examine report files to help you evaluate changes to your data. To resolve malicious or unauthorized changes, you can take appropriate measures, such as restoring changed files. If changes are acceptable, you can update the baseline database to include them so that Tripwire software no longer detects them as violations. Tripwire software stores a baseline "snapshot" of your data "This is how the data should look." 1. Baseline 2. An integrity check compares the baseline to the current state of the data to identify changes "Is the data the same as it was?" Current Data Tripwire Software You examine changes and take appropriate action. This may include restoring changed data or updating the baseline. "Keep the system and baseline in sync." 3. Tripwire software reports a violation for each change it detects "What changed?" 2 Tripwire Manager User Guide

21 Introduction to Tripwire Manager Tripwire Manager System Architecture The Tripwire Manager system consists of two main components: Tripwire for Servers, a self-contained integrity assessment system that you install on each machine you want to monitor. Tripwire for Servers reports additions, deletions, or modifications to monitored objects. Tripwire Manager, a Java application with a graphical user interface (GUI) that allows you to manage multiple installations of Tripwire for Servers software from a central location. The most basic configuration is a single Manager that controls all Tripwire for Servers machines. Multiple Managers can connect to the same Tripwire for Servers machine. However, only one Manager can make changes to a Tripwire for Servers machine at a time. See page 6 for more information. See page 158 for information about authentication and secure communication in the Tripwire Manager system. Tripwire Manager User Guide 3

22 Introduction to Tripwire Manager How Tripwire for Servers Works Tripwire for Servers is a self-contained integrity checking system that resides on each machine you want to monitor. Tripwire for Servers works in the same way, whether you use Tripwire Manager to manage machines or issue commands from the command line. 1. After installing Tripwire for Servers, your first step is to customize your policy file. In the policy file you specify which directories, files, or registry objects you want the software to monitor. 2. Next, initialize a database file. This database is a compact digital snapshot of the system in a known-good state. This serves as the baseline for integrity checks later on. 3. After initializing the database file, you may need to edit the policy file so that it better matches the system. This process is called tuning your policy file. 4. Run integrity checks. During a check, Tripwire software compares the current state of the system to data in the database file and reports any changes it detects. You can view reports with Tripwire Manager, send them via or SNMP trap, or write them to system log files. 5. Analyze reports to decide if changes to the system are authorized. 6. If you discover unauthorized changes, take appropriate measures, including restoring files from backup, or changing security procedures to prevent further intrusions. 7. If you discover authorized changes, update the database file to reflect the changed state of the system. This prevents the software from flagging these same changes as violations in the future. After you resolve all of the changes, you can run another integrity check to verify the integrity of the system. 8. After integrity checks, you may need to update the existing policy file to monitor new files, or to change rules that generate noise in report files. 4 Tripwire Manager User Guide

23 Introduction to Tripwire Manager 1. Install software & create policy file 2. Initialize database file 3. Tune policy file 4. Run integrity check No Changes found? Yes 7. Update database file 5. Examine report file Changes permitted? Yes No 6. Take appropriate security measures Yes Policy file working properly? No 8. Update policy file Tripwire Manager User Guide 5

24 Introduction to Tripwire Manager Using Multiple Tripwire Managers Each Tripwire Manager can connect to a Tripwire for Servers machine in two ways. The number and type of connections for each Tripwire Manager are controlled by its license file. With a Controlling connection, a Manager can perform any Tripwire task on a Tripwire for Servers machine. This includes checking integrity, viewing reports, and editing and updating files. With a Viewing connection, a Manager can only view reports and files on a Tripwire for Servers machine. A Manager that can only have Viewing connections is called a Tripwire Monitor. If your network has more than one controlling Manager, a Manager may be granted Controlling connections with some machines and Viewing connections with other machines at the same time. The type of connection a Manager has with a Tripwire for Servers machine is shown by its icon in the Machine List (page 11). Controlling Connections with Multiple Managers Multiple Managers can connect to a Tripwire for Servers machine, but only one Manager can have a Controlling connection for the machine. The first Manager registered to a Tripwire for Servers machine with a Controlling connection controls that machine. Until this Manager disconnects, other Managers can only establish a Viewing connection with this machine. When the first Manager disconnects, the next manager that requested a Controlling connection will receive it, passing on the Controlling connection in the order in which the Managers registered to that Tripwire for Servers machine. You can change the hierarchy of control by disconnecting all Managers from a Tripwire for Servers machine, then adding them back in a new order (page 42). 6 Tripwire Manager User Guide

25 New Features in this Version Introduction to Tripwire Manager Tripwire Manager includes a number of new feature in this release. These features enable you to: approve violations on machines by severity, or based on a template file. See pages launch Tripwire Manager from an external application, without additional user input. See page 118. integrate Tripwire Manager with external applications when using the database update window. See page 143. select an object in a report file to locate the corresponding policy file rule, or add an exclusion. See page 72. track additional classes of events with the Event Tracking Flags configuration parameter. See page 22. verify passphrases on Tripwire for Servers machines. See page 101. recognize communication problems between Tripwire Manager and Tripwire for Servers machines. See page 12. adjust socket connect timeout value used with Tripwire for Servers machines. See page 48. Tripwire Manager User Guide 7

26

27 2 Tripwire Manager Interface This chapter describes features of the Tripwire Manager interface. The interface is information-rich, so understanding it helps you to get the most benefit from the software.

28 Tripwire Manager Interface Tripwire Manager Windows Tripwire Manager consists of five windows you can resize and rearrange to customize the interface. A. Machine List shows Tripwire for Servers machines currently registered to this Tripwire Manager B. Network Status shows the current status of Tripwire for Servers machines C. Action Window provides quick access to commonly-performed tasks D. Output Window shows feedback from Tripwire for Servers machines E. Main Window area for editing and viewing files 10 Tripwire Manager User Guide

29 Tripwire Manager Interface Machine List The Machine List shows information about the Tripwire for Servers machines registered to this Manager. Tripwire for Servers machines are arranged into groups. You can establish multiple levels of machine groups, as well. The folder icon shows the severity of violations for the machines in that group, based on each machine s most recent report file. See page 62 of the Tripwire Reference Guide for information on severity. Red means at least one machine in the group has a high-severity violation Yellow means at least one machine in the group has a medium-severity violation, but no machines have high-severity violations Blue means at least one machine in the group has a low-severity violation, but no machines have high- or medium-severity violations Green means no machines in the group have violations Gray means that none of the machines in the group have report data and, therefore, severity cannot be determined for the group Mixed statuses can occur. Group folders may have half-colors. For example, a folder that is half gray and half red, blue, or green indicates that one or more machines in the group does not have report data. The folder s color represents the highest severity level violation for the machines that have report data. Tripwire Manager User Guide 11

30 Tripwire Manager Interface The machine icon shows the severity of violations for that machine, based on its most recent report file. Red means the machine has at least one high-severity violation Yellow means the machine has at least one medium-severity violation, but no high-severity violations Blue means the machine has at least one low-severity violation, but no high- or medium-severity violations Green means the machine has no violations A question mark means the machine does not have a current report file, or has not been polled for status. You can update a machine s status by right-clicking the machine and selecting Refresh Status, or by running an integrity check. A red X means that the Manager cannot connect to this machine because of network or configuration problems. See page 108 for information on connection problems. A connection icon shows what type of connection this Manager has with the machine. A wrench means this Manager has a Controlling connection with this machine, and can perform all Tripwire tasks. See page 6. Glasses mean a Viewing connection. This Manager can view files and reports but cannot edit files or run integrity checks on this machine. The Connection Error icon means that communication between the Manager and this machine is disrupted. You may need to change the timeout settings for network communication. See page 108. The Severity column displays the severity of the violations that have occurred on a given machine. The color coding for the Severity column is identical to the color coding described above. The Type column indicates the type of violations that have occurred on a given machine. The violation types are indicated by different colors: Olive green indicates that objects have been added. Teal indicates that objects have been removed. Purple indicates that objects have been changed. 12 Tripwire Manager User Guide

31 Tripwire Manager Interface Creating a Machine List In order for Tripwire Manager to monitor a machine (or machine group) you must include that machine in the Machine list. You can connect machines individually, or import a list. If you are connecting more than ten machines, it is faster to import a list. To import a list of Tripwire for Servers machines: 1. Create a comma-delimited.txt file listing each Tripwire for Servers machine on a separate line, using this format: machine_name,group,address,port#,memo,site,local group is this machine s Tripwire Manager group (page 11) If you don t want to group machines, leave this field empty. address can be specified using an IP address or DNS hostname site and local are the site and local passphrases for each machine If you omit any of the fields in the import file, leave that field s comma as a placeholder. 2. Select Manager > Add Machines in the Tripwire Manager menu, then click Import and navigate to the import file. 3. Click OK to register the machines. Tripwire Manager User Guide 13

32 Tripwire Manager Interface To add Tripwire for Servers machines individually: 1. Select Manager > Add Machines from the menu. 2. Enter information for the machine you want to add. Use default port number 1169, unless a different port is specified in a machine s agent.cfg file. If you use DHCP to assign IP addresses in your network dynamically, put the DNS-resolvable hostname for the machine in the Address field AND the Machine Name field. 3. Click Add to add more than one machine, and enter information for the next machine. 4. Click OK to register the machines, then provide the console passphrase for the Manager and the site and local passphrases for each Tripwire for Servers machine. Grouping Machines Tripwire for Manager also allows you to group machines with multiple levels of hierarchy. For example, you could create groups of machines according to geographical location, or departments in your organization. To create a machine group: 1. Select the machines in the machine list, that you want to include in the group. 2. Choose Regroup Agents from the Tripwire Manager menu. 3. Select a group from the list. or Click New Group and give the new group a name from the resulting dialog box. 4. Click OK. 14 Tripwire Manager User Guide

33 Tripwire Manager Interface To create a nested machine group: 1. Select the machines in the machine list that you want to include in the group. 2. Choose Regroup Agents from the Manager menu. 3. Click New Group. 4. Choose the machine group that is to be the parent group from the list of defined machine groups. 5. Enter a name for the new child group. 6. Click OK. Tripwire Manager creates the new group as a child to the parent group, with the selected machines as members of the new group. Tripwire Manager User Guide 15

34 Tripwire Manager Interface Network Status Window The Network Status pie chart shows four types of status information, using the data from current report files. The pie chart can reflect status information from all machines, or only the currently selected set of machines. Click for a more detailed, printable version of any chart. Machine Status shows current tasks for all machines Report Summary shows all machines categorized by the highestseverity violation from each machine s most recent report file. See page 62 of the Tripwire Reference Guide for information on severity. Enterprise Integrity shows the total number of violations for all machines, categorized by severity level. All violations are expressed at the level of the highest-severity violation from each machine s most recent report file. Violation Types shows the type of violations (additions, deletions, or changes) for all machines Machines without current report files (indicated by the icon) do not contribute data to Report Summary, Enterprise Integrity, or Violation Types charts. When machines do not have current report files, you can refresh their status, or run another integrity check to produce a current report file. Action Window The Action Window provides access to common operations. You can also perform all of the Action Window tasks from the Machine menu (page 42), or by right-clicking a machine in the Machine List. 16 Tripwire Manager User Guide

35 Tripwire Manager Interface Output Window The Output Window provides feedback from Tripwire for Servers machines. Tripwire for Servers machines also write this output to the log file specified in Preferences (page 48). Blue text indicates successful completion of Tripwire for Servers tasks. Red text indicates Tripwire for Servers tasks were unsuccessful. Black text indicates Tripwire Manager-related information. Main Window The Main Window shows Tripwire files so that you can edit them. You can have multiple editing windows for multiple Tripwire for Servers machines open at the same time. Tripwire Manager keeps the currently active editing window highlighted and on top. Selecting Windows to View In addition to clicking on windows to open them, you can access any open window within the main window as follows. To view a particular window in the main window: 1. Select View > Windows. 2. Select the window you want to view. 3. Click Switch to Window. To close a particular window in the main window: 1. Select View > Windows. 2. Select the window you want to close. 3. Click Close Window. Tripwire Manager User Guide 17

36 Tripwire Manager Interface Configuration File Editor The Configuration File Editor provides a method for setting the configuration parameters for Tripwire for Servers machines. This editor consists of the following tabs: Files tab (page 19) Checking tab (page 21) tab (page 24) Logging tab (page 27) SNMP tab (page 30) Other tab (page 32) 18 Tripwire Manager User Guide

37 Tripwire Manager Interface Files Tab On the Files tab, you can set the following configuration options: Policy file Path to the policy file used for integrity checking. Default value:<tfs_root>\policy\tw.pol Database File Path to and name of the database file. Default value:<tfs_root>\db\database.twd Report File Path and name for report files. Tripwire for Servers writes report files to this directory on the local machine. The HOSTNAME and DATE variables represent the date and time of the integrity check. Tripwire for Servers uses them in the report file name. Default value:<tfs_root>\report\$(hostname)- $(DATE).twr Tripwire Manager User Guide 19

38 Tripwire Manager Interface Site Key File Path to the site key file that signs the Tripwire configuration and policy files. Default value:<tfs_root>\key\site.key Local Key File Path to the local key file that signs the Tripwire database file and (optionally) report files. Default value:<tfs_root>\key\local.key Temporary Directory Temp directory for storing Tripwire for Servers temporary files. Default value:/tmp in UNIX, system default temp directory in Windows Policy Rights UNIX-style Read/Write/Execute permissions for the policy file. Default value:644 Valid values: (3 octal digits) Database Rights UNIX-style Read/Write/Execute permissions for the database file. Default value:644 Valid values: (3 octal digits) Report Rights UNIX-style Read/Write/Execute permissions for report files. Default value:644 Valid values: (3 octal digits) Config Rights UNIX-style Read/Write/Execute permissions for configuration files. Default value:644 Valid values:(3 octal digits) 20 Tripwire Manager User Guide

39 Tripwire Manager Interface Checking Tab On the Checking tab, you can set the following configuration options: Loose Directory Checking Reset Access Time Suppresses checking of some directory and registry key properties. This reduces duplicate violations (one for the change to an object and one for the change to its parent directory or registry key). Causes Tripwire for Servers to reset the access time of a file system object to the value it was when the software accessed the object. During integrity checks, Tripwire s accessing of file system objects changes their access time value. This can cause false-positive violations when monitoring objects for access time change. To retain original access times for data forensics, select this option. Tripwire Manager User Guide 21

40 Tripwire Manager Interface Enable Event Turns event tracking on. Event tracking provides Tracking additional information about who made changes to files and registry keys, when they changed them, and what they changed. Note that a significant amount of serverside configuration is required to fully enable this feature. See the Tripwire for Servers User Guide for details. Event Tracking Flags Traverse Mount Points Politeness Allow Command Execution Execute as User Specify additional types of events for Tripwire for Servers to track. See the Tripwire Reference Guide for details. U Causes Tripwire for Servers to cross file system mount points during integrity checks. Selecting this parameter may introduce security risks. If you check this parameter, we recommend you limit recursion by adding recurse attributes to the policy file. Sets Politeness level (0-5). This setting lets you control the balance between CPU usage and the amount of time the operation takes to complete. The higher the number, the more CPU time Tripwire yields to other processes. At the default level of 0, Tripwire does not wait for other applications. Turns command execution on or off. U Specifies a user account to run command execution processes. Dependency: Allow Command Execution must be on. 22 Tripwire Manager User Guide

41 Tripwire Manager Interface Global On Violation Specifies an absolute path to an executable file, and any command-line options you want to pass to the executable. Executed for each violation detected. If a violated rule also uses the onviolation command, that command will run instead of this Global On Violation command for that object only. If the path to the executable contains white space, it must be quoted. Use the same syntax as the onviolation attribute (see page 18 of the Tripwire Reference Guide). Valid values: an absolute path to an executable file Dependency:Allow Command Execution must be on Max Command Processes Specifies the maximum number of processes that command execution can spawn for each integrity check. This does not affect the command spawned by the Always Run Once parameter. If this parameter is omitted or does not have a value, Tripwire for Servers can spawn an unlimited number of processes. Valid values: any positive integer Dependency: Allow Command Execution must be on Always Run Once Specifies an absolute path to an executable file, and any command-line options you want to pass to the executable. Executed exactly once after an integrity check, whether or not any violations are found. If a violated rule also uses an onviolation command, that command will run in addition to this Always Run Once command. See pages in the Tripwire Reference Guide for more information about syntax for Always Run Once. Valid values: absolute path to an existing executable file Dependency: Allow Command Execution must be on. Tripwire Manager User Guide 23

42 Tripwire Manager Interface Tab On the tab, you can set the following configuration options: Mail Method The protocol for sending reports. Valid values: SMTP, sendmail, or MAPI (for Windows) Default value: SMTP SMTP Host The domain name or IP address of the SMTP server. Dependency: Mail Method must be set to SMTP Valid values: IP address or domain name of SMTP server SMTP Port The port number for SMTP. Dependency:Mail Method must be set to SMTP Default value: 25 Valid values: 1 to Tripwire Manager User Guide

43 Tripwire Manager Interface Mail Program Path and arguments to a mail program. Dependency: Mail Method must be set to sendmail Case-sensitive:yes A valid mail program must: be executable by the user account Tripwire for Servers is running under take an RFC822-style mail header list recipients in the To field of the mail header ignore lines of a single period From Address A resolvable From address for reports sent via SMTP or sendmail. This option does not work for MAPI. Valid values: one resolvable SMTP address Example: [email protected] Case-sensitive: no (both [email protected] and [email protected] are acceptable) Character Encoding Character set for Tripwire SMTP reports. This option does not work for MAPI. Report A level of detail for reports. Level Default value: 3 Valid values: 0 to 4 0 single line summary report; lists total adds, removes and changes 1 parsable list of all violated objects 2 summary report; lists violations by section and rule name 3 lists added object and removed object violations plus expected vs. observed properties for modified object violations 4 level 3 plus all properties of all violated objects Tripwire Manager User Guide 25

44 Tripwire Manager Interface Mail No Violations Reports Localize Causes Tripwire for Servers to send notification even when integrity checks detect no violations. For the highest security, set this parameter to true. Controls localization of reports on Japanese locales. If your servers and clients do not handle multi-byte characters well, you can work around this by unchecking this option. When unchecked, reports are sent in English on Japanese locales. Global addresses to receive (all) reports after each integrity check. When Mail No Violations Reports is unchecked, reports are not sent when integrity checks detect no violations. Default value: none Valid values: any valid address or addresses NOTE: You can delimit multiple addresses with semicolons. For more information, see page 10 of the Tripwire Reference Guide. 26 Tripwire Manager User Guide

45 Tripwire Manager Interface Logging Tab On the Logging tab, you can set the following configuration options: Syslog Reporting Causes Tripwire for Servers to log a record of database initializations, integrity checks, database updates, policy file updates, and commands executed by Tripwire to a system log file. U In UNIX, by default Tripwire for Servers makes log entries to the syslog from the user facility at the notice level. W In the Windows operating system, by default Tripwire for Servers makes log entries to the application event log. Tripwire Manager User Guide 27

46 Tripwire Manager Interface Syslog Host Causes Tripwire for Servers to log syslog entries to a remote host or number of host machines. NOTE: Without third-party tools, Tripwire for Servers cannot remotely log UNIX machine integrity check information to a Windows machine, or vice versa. Your syslog host must match the OS of the machine that generates the log information. Valid values: \\remote_host You can specify multiple remote hosts like this. Precede each host name with two \ characters: W SYSLOGHOST=\\host1 \\host2 \\host3... Syslog Report Level Level of detail for syslog entries made for integrity checks. Dependency: Syslog Reporting must be set to true Default value: 0 Valid values: 0 to 2 0 single line summary syslog entry; lists total adds, removes, and changes 1 separate syslog entry for each violation 2 separate syslog entry for each violation; entry shows that a violation occurred, and which properties were violated Syslog No Violations Causes Tripwire to log notification to the syslog when an integrity check detects no violations. For the highest security, activate this option. 28 Tripwire Manager User Guide

47 Tripwire Manager Interface Syslog Const Localize Syslog Causes Tripwire to report all events that use a Tripwire for Servers executable, including events that do not change the state of Tripwire for Servers files (such as printing reports, examining encryption, or accessing help on the command line). Controls localization of syslog messages on Japanese locales. To write Tripwire syslog messages in multi-byte characters on Japanese locales, check this option. NOTE: Not all syslog utilities support multi-bye characters. To work around this, leave this option unchecked. Audit Log Causes Tripwire for Servers to write audit log entries with the same level of report information specified by the Syslog Report Level. Allows integration of Tripwire for Servers integrity check information with other applications that read audit entries. Syslog Facility Specifies the destination facility for syslog entries made by Tripwire. Valid values: Varies by operating system (see table) OS UNIX Valid values user, local0 through local7, auth, authpriv Default: user Windows application, system Default: application Syslog Priority Allows Tripwire for Servers to access the numeric range of syslog priorities (as supported by a machine s OS). Tripwire Manager User Guide 29

48 Tripwire Manager Interface SNMP Tab On the SNMP tab, you can set the following configuration options: SNMP Host Causes Tripwire for Servers to send an SNMP message trap to the specified host. The information sent is identical to a level 0 report (a one-line summary of total violations). Valid values: IP address or domain name of SNMP host SNMP Port Specifies which port on the SNMP host Tripwire for Servers should use for SNMP traffic. Default value: public Valid values: any text string 30 Tripwire Manager User Guide

49 Tripwire Manager Interface SNMP Community Sets the community name in SNMP trap messages from Tripwire for Servers. This option is only relevant for SNMP version 1. Valid values: any text string SNMP on No Violations Causes Tripwire for Servers to send an SNMP trap even when integrity checks detect no violations. Determine IP Causes Tripwire to automatically determine the Network address of Interface Card (NIC) to use for SNMP traps. Select this server option only if your machine has one NIC. automatically Send SNMP Causes Tripwire to use the Network Interface Card (NIC) traps from the that you specify for SNMP traps. Select this option if following IP your machine has more than one NIC. address Tripwire Manager User Guide 31

50 Tripwire Manager Interface Other Tab On the Other tab, you can set the following command-line-related configuration options: Editor Sets an absolute path to a text editor for interactive integrity checks. (Interactive integrity checks allow an update of the database directly after an integrity check.) If the path to the executable contains white space, it must be quoted. A valid text editor must: approve a file on the command line exit with 0 status on success and non-0 status on error. Both vi and emacs satisfy the text editor requirements in UNIX. Both Notepad and Wordpad satisfy the text editor requirements on Windows. 32 Tripwire Manager User Guide

51 Tripwire Manager Interface If the configuration file does not specify an editor and no editor is specified on the command line, Tripwire for Servers uses the $VISUAL or $EDITOR environment variables. If these do not specify an editor, Tripwire for Servers displays an error message. Machine Report Level Specifies a default level of detail for Tripwire report files generated from the command line. Default value: 3 Valid values: 0 to 4 0 single line summary report; lists total adds, removes and changes 1 parsable list of all violated objects 2 summary report; lists violations by section and rule name 3 lists added object and removed object violations plus expected vs. observed properties for modified object violations 4 level 3 plus all properties of all violated objects Machine Report Format Database Printing Format Specifies a default format for Tripwire report files generated from the command line. Default value: classic (plain text) Valid values: classic, HTML, XML Specifies a default format for Tripwire database files printed from the command line. Default value: classic Valid values: classic, HTML, XML Tripwire Manager User Guide 33

52 Tripwire Manager Interface Database Printing Level Specifies a default level of detail for Tripwire database files printed from the command line. Default value: 2 Valid values: 0 to 2 0 summary of the database file, without objects 1 all objects in the database file 2 all objects in the database file, plus properties monitored for each object Late Prompting Causes Tripwire for Servers to delay the prompt for passphrases until the last moment. This minimizes the amount of time a passphrase stays in memory. 34 Tripwire Manager User Guide

53 Tripwire Manager Interface Policy File Editor The Policy File Editor provides a method for you to quickly create or edit policy files through a graphical user interface. You can also use a text editor to edit policy files, if you prefer. For information on using the Policy File Editor, see page 72. The Policy File Editor consists of two (for UNIX) or three (for Windows) tabs, which appear in the lower left of frame: A. Global Variables Lists all pre-defined and user-defined variables (each in their own section) by name and associated value. You can add or delete user-defined variables, as well as edit the values associated with each userdefined variable. Tripwire Manager User Guide 35

54 Tripwire Manager Interface B. File System Displays the variables that exist in the File System section of the policy file (in the upper right pane) and the rules, exclusions, and rule blocks that exist in the policy file (in the lower right pane). C. Registry Displays the defined variables that exist in the Registry section of the policy file (in the upper right pane) and the rules, exclusions, and rule blocks that exist in the policy file (in the lower right pane). NOTE: The Registry tab appears only if you are working with a Windows machine. 36 Tripwire Manager User Guide

55 Tripwire Manager Interface Report Viewer The Report Viewer displays violation reports generated by Tripwire for Servers machines. You also use it to update the database with report information. The Report Viewer consists of three panes: A. Main Pane Shows information about the open report files, and the violations within those files, in four different formats. B. Object Pane Shows the children of any item selected in the Main Pane. C. Detail Pane Shows detailed information for any item selected in the Objects Pane. Tripwire Manager User Guide 37

56 Tripwire Manager Interface Main Pane In the Main Pane you can switch between four tabs. Each tab provides you with a different view of the information in the open reports. Reports Tab Objects Tab Shows all violations reported in the currently-open reports in a hierarchical tree structure. Report files are the top-level nodes in the tree. Shows all objects in the open reports for which there have been violations and the number of machines on which the objects were violated. Violations Tab Shows violations for all open reports as a list of entries. All times are expressed in the time zone of the Tripwire Manager machine. Summary Tab Shows a pie chart of the number and severity of violations in all open reports. Click for a more detailed, printable summary of all current violations. Detail Pane The Detail pane displays details about the item that is currently selected. Icons denote any properties with unexpected values. 38 Tripwire Manager User Guide

57 Tripwire Manager Interface Report Viewer Icons Report Files - This icon represents an open report file. The color of the icon reflects the severity level (page 62 of the Tripwire Reference Guide) of the most severe violation in the report: Red reports have at least one high-severity violation (severity level 66 or higher) Yellow reports have at least one medium-severity violation (severity level 33 to 65), but no high-severity violations Blue reports have at least one low-severity violation (severity level 0 to 32), but no high- or medium-severity violations Green reports have no violations Errors - this icon represents errors that Tripwire software encountered during an integrity check. Errors could occur when: Permissions prevent Tripwire software from scanning objects Objects specified in the policy file are open for exclusive use Report File Sections - this icon represents a section of the report file being displayed. The three possible sections are: Windows file system Windows registry UNIX file system The section icons use the same colors as the report file icons (page 11) to display the highest severity level in each section of a report file. Tripwire Manager User Guide 39

58 Tripwire Manager Interface Rules - This icon represents a report file rule that contains one or more violations. The color of the icon reflects the severity of the rule: Red rules have a severity level of 66 or higher Yellow rules have a severity level between 33 and 65 Blue rules have a severity level between 0 and 32 Added Object - This icon signifies that a new file, directory, or registry object has been added. The icons are color-coded to indicate severity, as described above. Click on an Added Object violation to see detailed information about the new object in the Details Window. Removed Object - This icon signifies that a file, directory, or registry object has been removed. The icons are color-coded to indicate severity, as described above. Click on a Removed Object violation to see the expected property information for the object in the Details Window. Modified Object - This icon signifies that one or more of the properties that Tripwire software monitors for this object have changed. The icons are color-coded to indicate severity, as described above. Click on a Modified Object violation to see both the expected and observed values for the object in the Details Window. Properties that have changed from their expected values are flagged. 40 Tripwire Manager User Guide

59 Tripwire Manager Interface Object Pane The Object pane describes all the child objects of the object that is currently selected in the Main pane. If you select an item in the Main pane, all of the child items are displayed in the Object pane. Click these objects to drill down for more detail. The Count column displays the number of machines on which violations with the same hash, object name, and origination were detected. Consider this example: Object Count C:\test\DLLS 100 In this case, the count indicates that 100 machines have violations for the C:\test\DLLS object. Tripwire Manager User Guide 41

60 Tripwire Manager Interface Special Menu Options This section describes menus that give access to special Tripwire Manager features. Common features available in most software interfaces are not described. NOTE: When Tripwire Manager has a Viewing connection (page 6) with a Tripwire for Servers machine, you cannot access some menu options for that machine. Manager Menu Add Machines - Register new Tripwire for Servers machines. You can add machines individually, or import a list of machines. See the Tripwire Manager Quick Start for more information. Remove Machines - Unregister the selected Tripwire for Servers machines. Synchronize Machines - Synchronize the Machine Lists for this Manager and another Manager, using a text file (see below). You can choose to add Tripwire for Servers machines, remove existing machines that are not in common, or do both. Regroup Machines - Move all currently selected machines to a different group (page 14). Export Selected Machines - Export the information for all selected machines to a text file. You can use this file to register the machines with another Tripwire Manager, or to synchronize another Manager s Machine List with this one (see above). Export Manager Report - Export a report file to an HTML file. Change Tripwire Manager Passphrase - Change the Tripwire Manager passphrase (page 99). 42 Tripwire Manager User Guide

61 Tripwire Manager Interface Forget Tripwire Manager Passphrase - Immediately clear the Manager passphrase from memory. Expand Machine Group - Expands the selected Machine Group (in the machine list view). Collapse Machine Group - Collapses the selected Machine Group (in the machine list view). Expand All Machine Groups - Expands all Machine Groups in the machine list. Collapse All Machine Groups - Collapses all Machine Groups in the machine list. Tripwire Manager User Guide 43

62 Tripwire Manager Interface Machine Menu The Machine Menu provides access to the most commonly-performed tasks. You can also access most of these items from the Action Window (page 16) or by right-clicking a machine in the Machine List. Edit Configuration File - Edit the configuration file (page 95) for the selected machines. Edit Policy File - Edit the policy file (page 72) for the selected machines. Edit Schedule File - Edit the schedule file (page 64) for the selected machines. Open Integrity System - Open the integrity system for the selected machines. You can then edit and distribute the integrity system or save it locally (page 96). Distribute File - Distribute a configuration, policy, or schedule file to selected machines. Archive - Archive reports, policies, configurations, schedules, or integrity systems. Integrity Check - Run an integrity check (page 58) for selected machines. View Report - Examine the most recent report file (page 65) for selected machines. 44 Tripwire Manager User Guide

63 Tripwire Manager Interface Update Database - Update the database file (page 85) for the selected machines using their latest report file. Initialize Database - Initialize the database file for the selected machines. Approve Violations - Approve violations by choosing All, by Severity, or by Template. Passphrases - Change passphrases using the following sub-menu options: Verify Machine Site and Local - Verifies what Tripwire Manger and Tripwire for Servers believe the passphrases are for the selected machine (page 101). Change Machine Site Passphrase - Change the site passphrase (page 100) for the selected machines. Change Machine Local Passphrase - Change the local passphrase (page 100) for the selected machines. Refresh Status - Refreshes the Tripwire Manager information for the selected machines. Cancel Current Task - Halts the current task being performed on the selected machines. Properties - Edits properties for a machine or group. Tripwire Manager User Guide 45

64 Tripwire Manager Interface View Menu The View menu controls the appearance of Tripwire Manager. From the View menu, you can: Hide or display Tripwire Manager windows to display agent information Restore the windows to their default configurations Clear the contents of the Output Window Expand the Main Window to full screen size Open the Preferences dialog Manage the open document windows 46 Tripwire Manager User Guide

65 Tripwire Manager Interface Preferences In the Preferences dialog, you set preferences for Tripwire Manager. Font tab Editor tab Set the font and font size used by Tripwire Manager. Specify the graphical editor or a text editor for editing policy files. In order to use the Policy Editor, the policy file must meet certain criteria (page 72). Tripwire Manager User Guide 47

66 Tripwire Manager Interface Logging tab Updating tab Specify a file for logging information. If audit logging is activated (by selecting the Require audit trail information option), you must provide a reason when performing any operation that modifies the integrity system on a Tripwire for Servers machine. This includes editing files, changing passphrases, running an integrity check, initializing a database, or cancelling tasks. This information is displayed in the Output Window, and logged to the Tripwire Manager log file. Set the polling interval for Tripwire for Servers machines based on their conditions. By decreasing the intervals between updates, you increase the probability that Tripwire Manager accurately portrays a Tripwire for Servers machine at any given time, but at the cost of CPU and network performance. You can decrease CPU and network load by increasing the interval between updates, but the Tripwire Manager s display may be less in sync with the current state of Tripwire for Servers machines. Timeouts tab Set timeout values for the amount of time that Tripwire Manager can be left inactive before prompting for the Tripwire Manager passphrase; set timeout values that Tripwire Manager should use to connect to machines. The default timeout settings should be sufficient for most installations. If you have connection problems, see page 108 for more information on timeout settings. Notification tab tab Set the conditions and parameters for notification of down machines or new integrity data. Tripwire Manager can notify by sending (page 104), by executing a launch command (page 105), and by archiving report files (page 106). Set the parameters for sending when Tripwire Manager uses as a notification method. 48 Tripwire Manager User Guide

67 Tripwire Manager Interface Policy Menu Editing a Policy File (page 72) makes these items available from the Policy menu: New - Create a new Variable, Rule Block, Rule, Exclusion, or Rules from Pattern. Add Rule - Add a Rule. Add Exclusion - Add an Exclusion. Find Elements - Locate the Rule or Exclusion for the selected file or registry object. Find Objects - Locate the file or registry object for the selected Rule or Exclusion. Move to Block - Move selected Rules or Exclusions to another Rule, Block, or to a new Rule Block. Convert to Rule - Change selected Exclusions into Rules. Convert to Exclusion - Change selected Rules into Exclusions. Refresh - Update the contents of the files or registry items displayed in the Objects pane, synchronizing the display with the current contents of the machine. Tripwire Manager User Guide 49

68 Tripwire Manager Interface Report Menu Opening a Report Viewer or Database Update makes these items available from the Report menu: Search - Search all open report files (page 66) for violations with certain criteria. Filter - Filter all open report files (page 67) using the same criteria as Search. Once you specify a filter, the Report Viewer shows only violations that meet its criteria. You must turn filtering off or change your Search criteria to change this. Filtering Off - Turn off the current filter. The Report Viewer shows a flat display of all violations. Use the following options to select or unselect violations to approve in the database (page 86). These options are only available if the Database Update window is open: Approve All Approve None Approve by Severity Approve Patch Approve by Template Use the following options to expand or collapse the selected report file, or all open report files: Expand Current Collapse Current Expand All Collapse All 50 Tripwire Manager User Guide

69 Tripwire Manager Interface Find Rule in Policy - Select an item in a report, and go directly to its rule in the policy file. The machine's policy file must also be open in a graphical policy editor. Exclude Object from Policy - Select an item in a report, and create a new policy exclusion for it. The machine's policy file must also be open in a graphical policy editor. Tripwire Manager User Guide 51

70 Tripwire Manager Interface Launch Menu <User Defined Commands> - If you have defined your own launch commands, they appear at the top of the Launch Menu. Edit Launch Commands - Edits launch commands. Import Launch Commands - Imports launch commands. Export Launch Commands - Exports launch commands. 52 Tripwire Manager User Guide

71

72

73 3 Using Tripwire Manager This chapter explains the operation of Tripwire Manager after you register and configure Tripwire for Servers machines. See the Tripwire Manager Quick Start for more information on configuring Tripwire Manager.

74 Using Tripwire Manager Normal Tripwire Operation The diagram on the opposite page summarizes the operation of Tripwire software. Each of the steps in the process is described in greater detail in this chapter. 1. After configuring a Tripwire for Servers machine, you can run an integrity check at any time. Most users schedule regular integrity checks (page 64) for each machine in the network. During a check, Tripwire software compares the data snapshot in the database file to the current state of the system and creates a report of changes. 2. If Tripwire software finds changes, you can view the report file to decide if the changes to the system are authorized (for example, caused by an OS update) or unauthorized (due to malicious or accidental changes). 3. If the changes are authorized, you should update the database file for that machine to reflect the current state of the system. This prevents these changes from being flagged as violations in the future. If the changes are unauthorized, you should take appropriate measures, including restoring files from backup, or changing security procedures to prevent further intrusions. 4. After resolving all of the changes, run another integrity check to verify the integrity of the system. 5. After an integrity check, you may want to update the policy file for a machine to monitor new files, or to change rules that are generating unwanted noise in Tripwire report files. 56 Tripwire Manager User Guide

75 Using Tripwire Manager S t a r t R u n in t e g r it y c h e c k N o C h a n g e s f o u n d? Y e s U p d a t e d a ta b a s e file E x a m in e re p o rt file C h a n g e s p e r m it t e d? N o T a k e a p p r o p r ia t e security m e a s u r e s Y e s Y e s P o lic y file w o r k in g p r o p e r ly? N o U p d a t e p o lic y file Tripwire Manager User Guide 57

76 Using Tripwire Manager Checking Integrity You can use Tripwire software to check the integrity of your system at any time. Most users schedule integrity checks (page 64) at regular intervals. To run an integrity check: 1. Select a machine or group in the Machine List. 2. Select Machine > Integrity Check. 3. Select any desired options for this integrity check: Use the Selective Integrity Check options (page 59) to reduce the scope of this integrity check. Check Send Report to send an report of violations (page 62). Specify Matching options to determine if and how to apply wildcard patterns during the integrity check (page 63). 4. Click Run to launch the integrity check. After an integrity check, you can view the report file with the Report Viewer (page 65). 58 Tripwire Manager User Guide

77 Using Tripwire Manager Selective Integrity Check Options During a regular integrity check, Tripwire applies the entire policy file to check a system. However, you can also run selective checks based on: severity levels specific rules or groups of rules specific objects You can also: ignore particular properties apply specific policy file sections disable command executions associated with the integrity check sign reports reports apply wildcard pattern matching Tripwire Manager User Guide 59

78 Using Tripwire Manager Checking Based on Severity Level To run an integrity check based on severity level, select Minimum Severity Level and specify a minimum severity level. For example, if you specify a minimum severity level of 50, rules with a severity of less than 50 will not be run. Checking with Specific Rules Only To run an integrity check with specific rules, specify them in the Rule to Check field. Keep in mind that rule names are case-sensitive, and must be quoted if they contain spaces. For example, suppose you have a rule named My Project. When you run an integrity check with My Project in the Rule to Check field, only that rule is applied. To apply several rules, you can enter a comma-delimited list of rules, or select from the recently-used rules in the drop-down list. NOTE: Arranging rules in rule blocks also makes it easy to apply several rules at once. To apply all rules in a rule block, specify the rule block s name in the Rule to Check field. For more information about rule blocks, see page Tripwire Manager User Guide

79 Using Tripwire Manager Checking Specific Objects Only To check specific directories, files, or registry objects, specify them in the Objects to Check field, like this: U object object object... /bin /usr where object is the fully-qualified path to the object. W If the policy file is sectioned, specify section and object, like this: section: object object... section: object object... NTFS: C:\winnt C:\temp FS: /etc/cron.d where section is NTFS, NTREG, or FS, and object a fully-qualified path. NOTE: You cannot use this option in conjunction with the Minimum Severity Level or Rule to Check fields. Ignoring Properties To ignore certain properties during an integrity check, specify them in the Properties to Ignore field. When Tripwire software runs an integrity check, collecting data for some properties particularly hashes can be time- and resource-intensive. To save resources, you can ignore these properties during the check. List properties to ignore in the Properties to Ignore field, using the following format. U property,property,property... p,u,g W section:property,property,section:property... NTFS:access,readonly,write,NTREG:sdc,sacl where section is NTFS or NTREG, and property is a property that Tripwire monitors. Do not leave spaces between properties. See page 54 of the Tripwire Reference Guide for more information on properties. Tripwire Manager User Guide 61

80 Using Tripwire Manager W Checking Based on Policy File Section To run an integrity check using only a particular policy file section, select that section from the dropdown list in the Section to Check field. Disabling Command Execution To disable command execution for the integrity check, select Disable Command Execution. When you select this option, all command executions will be disabled for the integrity check. Signing Reports If you specify Signed Report in the Integrity Check dialog box, the report file generated by the integrity check requires a local key passphrase to be opened. NOTE: Signed reports are not an available option for scheduled events. ing Integrity Check Reports You can configure Tripwire to integrity check reports. A Tripwire for Servers machine sends reports to all addresses specified in the Global field of the Configuration File editor (page 24) for that machine. You can specify the level of report detail included in the by choosing a level from the dropdown list next to the Level field of the Integrity Check dialog box. You can also specify the format (text, HTML, or XML) for any generated by the integrity check. Select the format you want from the dropdown list next to the Format field in the Integrity Check dialog box. 62 Tripwire Manager User Guide

81 Using Tripwire Manager Checking Based on Matching Wildcard Patterns You can use wildcard patterns to specify objects to check during integrity checks. There are three options available for pattern matching during integrity checks: Perform the Default Matching: When you select this option, Tripwire checks objects based on the wildcard pattern specified in the policy file. Disallow Wildcards: When you select this option, Tripwire checks all objects, ignoring any wildcard patterns. Match the Pattern: When you select this option, Tripwire checks all objects that match the pattern you specify (superseding the wildcard pattern in the policy file): When a pattern includes (+), the software excludes every object that does not match the include pattern. You can specify exceptions to the pattern with the - character. When a pattern excludes (-), the software includes every object that does not match the exclude pattern. You can specify exceptions to the pattern with the + character. Multiple patterns may be separated by commas. Consider these examples: +*.dll,+*.txt -*.txt +*.exe,-foo.exe Checks all.dll and.txt files Does not check any.txt files Checks all.exe files except foo.exe Tripwire Manager User Guide 63

82 Using Tripwire Manager Scheduling Integrity Checks Schedule files let you schedule periodic integrity checks for Tripwire for Servers. Integrity checks are the only events that you can schedule. When scheduling routine integrity checks, make sure that only one check is running at a time. For example, if you are running a full integrity check once a day, with incremental checks every hour, make sure that the daily check begins and ends between the hourly checks. To schedule integrity checks for Tripwire for Servers machines: 1. Select a machine or group in the Machine List. 2. Select Machine > Edit Schedule File. 3. Click New to add a new event. 4. Select an interval in Event Type and provide details in Event Time. All schedule file times are expressed in the local time of the Tripwire for Servers machine on which the file is used. However, all times displayed in the Tripwire Manager Machine List are displayed in the time zone of the Tripwire Manager. If you are scheduling integrity checks for machines in different time zones, be sure to adjust the times appropriately. 5. Click Edit Integrity Check Options to specify options for this integrity check (page 58). 6. Select File > Save to Machine to save the schedule file on the machine it originated from. To distribute the schedule file to multiple machines: 1. Select the machines or groups in the Machine List. 2. Select Machine > Distribute File. 3. Verify the target machines and click OK. 64 Tripwire Manager User Guide

83 Using Tripwire Manager Viewing Reports You view Tripwire report files with the Report Viewer, which opens in the main Tripwire Manager window. To open the most recent report file for a machine: 1. Select a machine or group in the Machine List. 2. Select Machine > View Report. To enlarge the Report Viewer, select View > Full Screen View. To open an older Tripwire report file: 1. Select File > Open. 2. Navigate to the directory containing the Tripwire report (.twr) file, select the file, and click Open. To enlarge the Report Viewer, select View > Full Screen View. Tripwire Manager User Guide 65

84 Using Tripwire Manager Searching Reports With the Search option, you can select a subset of violations from open Tripwire reports. The Search dialog lists violations that fit the specified criteria, even if the violations have been filtered out (page 67). To search for violations in all open Tripwire report files: 1. Select Report > Search. 2. Enter the search criteria in the Search Opened Reports dialog. You cannot use wildcards (*, or?) for keywords, and you must express all times in the time zone of the Tripwire Manager machine. 3. Click Search. 4. Double-click an item in the lower pane of the Search window to see more details. 66 Tripwire Manager User Guide

85 Using Tripwire Manager Filtering Reports You can filter report files to change the violations displayed in the Report Viewer. Filtering may also change the color of the report file icon (page 39) displayed in the Reports Tab. The status of filtering is shown in the Report Viewer s Status Bar. To filter the violations displayed for all open Tripwire report files: 1. Select Report > Filter. 2. Enter the filter criteria in the Filter View dialog. You cannot use wildcards for keywords, and you must express all times in the time zone of the Tripwire Manager machine. 3. Click Filter. The Report Viewer only displays violations that fit the specified criteria until filtering is turned off. To turn off filtering: Select Report > Filtering Off. Tripwire Manager User Guide 67

86 Using Tripwire Manager Exporting a Tripwire Manager Report You can export a Tripwire Manager report to an HTML file. This report is essentially the machine list in HTML format. To export report summaries to an HTML file: 1. Select Manager > Export Manager Report. 2. Enter a file name and file type. 3. Click Save. Events Violations in Reports Events violations are auditlog events associated with violations. If you track events (a Checking option available via the Configuration Editor, see page 18) events violations are reported in report files along with other violation data for the object. To understand what events violations indicate, it is helpful to understand how they are detected. Unlike other system objects, Tripwire for Servers does not store baseline values for events. Instead, it simply opens the auditlog (or Security Event log on Windows) to look for events related to objects for which you are tracking events. Because no baseline values for events exist in the database, just the presence of an event for a monitored object is a violation. These events are reported in report files along with other violation data for the object. Level 4 reports provide the most detail on events data. Generally, the software shows events data as part of a related violation s detail. For example, if the software detects an added violation, and also detects events data related to that violation, it includes the events data as part of that violation s detail. 68 Tripwire Manager User Guide

87 Using Tripwire Manager However, there is one possible special case where events data is reported differently: If Tripwire detects event data on an object that it does not expect to exist on the file system (because no baseline data for that object exists in the software s database), and that the object no longer exists on the current file system (as determined by the integrity check not detecting the object on the file system), it will report event data for that object as an added violation, with the object type Audited Object. If you see an added violation of the type Audited Object (note that object type is shown only in level 4 reports), it means that an unexpected object appeared on the file system, then disappeared. You should examine these cases closely, as they may indicate malicious activity. Tripwire Manager User Guide 69

88 Using Tripwire Manager Working with the Policy File Policy files allow you to determine how Tripwire evaluates changes in your system. The policy file performs two functions: Initially, it determines which objects and properties Tripwire for Servers baselines in the corresponding database file. Later, during integrity checks, the policy file dictates how Tripwire for Servers scans the system. By changing the rules in the policy file, you can change the way Tripwire software monitors a system. For example, you may want to change the rules in a policy file to: monitor new files or software on a machine eliminate unnecessary reporting send reports to different people group policy file rules differently 70 Tripwire Manager User Guide

89 Using Tripwire Manager Policy File Terms These terms will help you to understand policy files: The policy file specifies how Tripwire software monitors your system. The policy file consists of rules which specify system objects (directories, files, or registry objects) to monitor, and describe which changes to the objects should be reported and which ones can be ignored. Exclusions specify objects (directories or files) in the system that you do not want to include in an integrity check. For example, if you know a directory or file will change often, and you don t want to flag such changes as violations, use exclusions. Exclusions are ignored during an integrity check. Attributes affect the way that Tripwire for Servers monitors directories or files. For example, you can assign an address to a rule, and if the rule is violated, Tripwire for Servers will send a warning message to that address. See page 60 of the Tripwire Reference Guide for more information on attributes. Rule blocks organize rules into groups with similar attributes. For example, if you assign an address to a rule block, Tripwire for Servers will send a warning message to that address if any of those rules are violated. See page 72 of the Tripwire Reference Guide for information on rule blocks. Tripwire Manager User Guide 71

90 Using Tripwire Manager Editing Policy Files There are three methods for editing policy files: Using a text editor Using the graphical Policy File Editor Using the graphical Edit Policy from Report When you edit policy files in a text editor, you write or adjust rules using policy syntax. The Tripwire Reference Guide provides details about the policy syntax. When you edit policy files with the Policy File Editor, you construct rules via a graphical interface. You can use the Policy File Editor to create or edit a policy file in a way that allows you to finely-detail your policy. Some restrictions apply when using the Policy File Editor: All variable definitions must exist outside of rule blocks (at the top level of any section). The policy file cannot include directives. All rules and exclusions must be contained in rule blocks. Nested rule blocks are not allowed. Policy files that you have created may or may not comply with these restrictions. If they do not comply, continue to use the text editor provided with Tripwire Manager. NOTE: If a policy file does not meet the criteria listed above, Tripwire Manager will automatically open the policy file in the text editor. For a description of the graphical Policy File Editor, see page 35. Use the Edit Policy from Report feature to select an item in a report and go directly to its rule in the policy file. You can also select an item in a report, and create a new policy exclusion for it. The machine's report must be open, as well as the machine s policy file in a graphical policy editor. 72 Tripwire Manager User Guide

91 Using Tripwire Manager To open a policy file with the graphical Policy File Editor: 1. Open the desired report. 2. Choose View > Preferences. 3. Select the Editor tab. 4. Select Use the structured editor when possible. 5. Click OK. 6. Select a machine or group in the Machine List. 7. Select Machine > Edit Policy File. If the policy file meets the criteria listed on page 72, the graphical Policy File editor window appears. To find a rule in the policy file using Edit Policy from Report: 1. Open the desired report. 1. Select an item in the report. 2. Choose Find Rule in Policy from either the Report menu or the rightclick context menu. The policy window appears, with the rule selected. To exclude object from policy: 1. Open the desired report. 1. Select an item that you no longer wish to monitor. 2. Choose Exclude Object from Policy from either the Report menu or the right-click context menu. The policy window appears, with a new exclusion added in the same block as the rule that caused the violation. Tripwire Manager User Guide 73

92 Using Tripwire Manager Working with Policy File Variables Variables in a policy file provide a method for you to represent information that will be used more than once in a policy file. This allows you to change the value of a variable and have that change reflected throughout the policy file (with each occurrence of the variable). There are two types of variables in a policy file: Global variables these are variables that apply to all sections of the policy file. Local variables these are variables that apply only to the policy file section in which they are defined. When you open a policy file with the Policy File editor, all existing global variables and their associated values appear in the Global Variables pane. To create a global variable: 1. Select the Global Variables tab. 2. Right-click in the User Defined Variables pane, and select New Variable. 3. Enter a name and value for the variable. 4. Click OK. To edit a global variable: 1. Select the Global Variables tab. 2. Right-click in the User Defined Variables pane on the variable you want to edit, and select Properties. 3. Change the name or value for the variable. 4. Click OK. 74 Tripwire Manager User Guide

93 Using Tripwire Manager To delete a global variable: 1. Select the Global Variables tab. 2. Right-click in the User Defined Variables pane on the variable you want to delete, and select Delete. To create a local variable: 1. Select the File System tab or Select the Registry tab. 2. Right-click in the User Defined Variables pane, and select New Variable. 3. Enter a name and value for the variable. 4. Click OK. To edit a local variable: 1. Select the File System tab or Select the Registry tab. 2. Right-click in the User Defined Variables pane on the variable you want to edit, and select Properties. 3. Enter a name and value for the variable. 4. Click OK. To delete a local variable: 1. Select either the File System tab or the Registry tab. 2. Right-click in the User Defined Variables pane on the variable you want to delete, and select Delete. Tripwire Manager User Guide 75

94 Using Tripwire Manager Working with Rules and Rule Blocks It is often useful to group rules and exclusions in blocks in order to use common attributes for all rules in that block. When you open a policy file with the Policy File Editor, all existing rule blocks and their associated attributes appear in the Policy File Contents pane. 76 Tripwire Manager User Guide

95 Using Tripwire Manager Creating Rule Blocks Rule blocks provide a method for grouping rules. To create a new rule block: 1. Select the File System tab. or Select the Registry tab. 2. Right-click in the Policy File Contents pane, and select New Rule Block. 3. Enter a name for the rule block. 4. Specify values for the various attributes of the rule block ( to, Severity, Recurse Level, and On Violation) by entering the value in one of the following ways: Typing the value directly into the associated text box. Choosing a value from the drop-down list. Click Insert Variable. NOTE: For the On Violation property, you can browse to find a command or executable file. Tripwire Manager User Guide 77

96 Using Tripwire Manager To change attributes for a rule block: 1. Select the File System tab. or Select the Registry tab. 2. Select the rule block you want to edit. 3. Right-click in the Policy File Contents pane, and select Properties. 4. Specify values for the various attributes of the rule block ( to, Severity, Recurse Level, and On Violation) by entering the value in one of the following ways: Typing the value directly into the associated text box. Choosing a value from the drop-down list. NOTE: For the On Violation attribute, you can browse to find a command or executable file. To delete a rule block: 1. Select the File System tab. or Select the Registry tab. 2. Select the rule block you want to delete. 3. Right-click and choose Delete. 4. Click Yes, when Tripwire asks if you want to delete the object. NOTE: Any rules and exclusions included in the rule block will be deleted as well. 78 Tripwire Manager User Guide

97 Using Tripwire Manager Creating Rules Certain properties apply to rules. You access and modify these properties by selecting the rule in the policy file editor, and choosing Properties from the popup menu. These properties include: Rule Block - Specifies a rule block in which the rule resides. Object Name - Specifies the object that is checked by the rule. Rule Name - Specifies a name for the rule. Rule names are casesensitive. Properties - Lists the properties associated with the object to be checked. (See the Tripwire Reference Guide for more information on the available properties.) to - Specifies recipients for reports generated when a violation is detected on the object being checked. Severity - Assigns a level of severity to the rule. You can use any number from 0 to 1,000,000. A higher number indicates a higher level of severity. (Tripwire Manager color-codes severity levels based on a range of 0 to 100.) Recurse Level - Specifies the number of levels of hierarchy within the object that Tripwire will descend when applying the rule. Match Pattern - Specifies a wildcard pattern that is used to identify objects to which the rule applies. On Violation - Specifies an executable file to launch when there is a violation. Tripwire Manager User Guide 79

98 Using Tripwire Manager To generate rules from a pattern: 1. Select the File System tab. 2. Right-click in the Policy File Contents pane, and select New Rules from Pattern. 3. Select a pattern from the list on the left. or Click Add and type a pattern or file name in the appropriate text box. 4. Choose a rule block from the drop-down list. or Create a new rule block for the rule by clicking New Rule Block and completing the resulting dialog box. 5. Specify properties and severity for the new rule from the appropriate drop-down list and click OK. U When editing a policy for a UNIX system, the policy editor represents symbolic links as objects. If your policy file specifies that a symbolic link is to be monitored, Tripwire will make certain that link is not changed to point to a different location. To create a rule or exclusion for a particular object: 1. Select the File System tab. or Select the Registry tab. 2. Select the object in the left pane of the window. 3. Right click and choose Add Rule or Add Exclusion as appropriate. 4. If necessary, modify the properties for the rule or exclusion by selecting it in the Policy File Contents pane, right clicking, and choosing Properties. 5. Modify the properties of the rule or exclusion. 6. Click OK. 80 Tripwire Manager User Guide

99 Using Tripwire Manager To delete a rule or exclusion: 1. Select the File System tab. or Select the Registry tab. 2. Select the rule or exclusion you want to delete. 3. Right-click and choose Delete. 4. Click Yes, when Tripwire asks if you want to delete the object. Tripwire Manager User Guide 81

100 Using Tripwire Manager Updating the Policy File Policy update allows you to edit a policy file and synchronize it with the current database file in one process. The process follows these steps: Runs integrity check using rules in new policy file Collects new data from the system Checks integrity of objects that are in both policy files Updates database file and synchronizes with new policy file new policy file old policy file 1. Using the rules in the new policy file, Tripwire for Servers runs an integrity check to gather data about the current state of a system. 2. Any violations of the rules in the old policy file that are also covered by rules in the new policy file are detected and reported. See page 84 for more information. 3. When you save the policy file, Tripwire Manager displays a dialog box from which you choose a security mode: Exit if any violations are found during update Update the policy, but don't accept any violations Approve all violations found during update High security mode. If violations are detected, the policy file and database are not updated. Medium security mode. The policy and database are updated only with new objects that do not have violations. No violations are accepted into the database. Low security mode. All changes are accepted into the database. Not recommended. We recommend that you always update the policy file in medium or high security mode, so that the database is not updated with inaccurate information. 82 Tripwire Manager User Guide

101 Using Tripwire Manager To update the policy file for a Tripwire for Servers machine: 1. Select a machine or group in the Machine List. 2. Select Machine > Edit Policy File. 3. Edit the rules in the policy file. 4. Select File > Save to Machine to update the policy file on the machine from which it originated. 5. Select Update Policy File and a security mode (see table on page 82). 6. Click OK. To overwrite the current policy file, select Overwrite Existing Policy File. The policy file for the selected machine is replaced with the current file, and you now must generate a new database file for this machine. To update the policy files for multiple machines: 1. Open and edit a policy file. 2. Select the machines or groups in the Machine List whose policy files you want to update. 3. Select Machine > Distribute File. Verify the target machines for the update. 4. Click OK. 5. Select Update Policy File and a security mode (see table on page 82). 6. Click OK. The policy file on each selected machine is updated with the new file. To overwrite the current policy file on all selected machines, select Overwrite Existing Policy File. The policy files are overwritten, and you now must generate new database files. Tripwire Manager User Guide 83

102 Using Tripwire Manager Resolving Violations During a Policy Update Violations discovered during a policy update should be treated as integrity check violations. Tripwire for Servers responds to these violations based on the security mode you specify. We recommend that you always update the policy file in medium or high security mode, so that the database is not updated with inaccurate information. Exit if any violations are found during update Update the policy, but don't accept any violations Approve all violations found during update High security mode. If violations are detected, the policy file and database are not updated. Medium security mode. The policy and database are updated only with new objects that do not have violations. No violations are accepted into the database. Low security mode. All changes are accepted into the database. Not recommended. 84 Tripwire Manager User Guide

103 Using Tripwire Manager Updating the Database File If Tripwire software finds changes during an integrity check, you should determine if the changes are unauthorized (malicious or accidental change, for example) or authorized (caused by an OS upgrade, for example). If the changes are unauthorized, take action to restore the system to its original state. This may include restoring files from backup and taking steps to prevent this change in the future. After making changes, you can run another integrity check to verify the integrity of the system. If the changes are authorized, you should update the database file to reflect the new state of the system. Otherwise, the changes will continue to appear as violations in future integrity checks. NOTE: If you have enabled event tracking (see page 22), Tripwire may report event data for monitored directories as violations. When you update the database, event violations are displayed in the database update report with a ballot box that cannot be unchecked. This indicates that any update database operation will effectively approve those audited objects. For more information about events and the event horizon, see page 63 of the Tripwire for Servers User Guide. You update the database file by approving individual changes from a report file. If you approve a change, Tripwire software updates that object s data in the database file with the value from the report file. If you don t approve a change, integrity checks will continue to report the change. Tripwire Manager also includes software verification functionality that provides a method for quickly approving changes that may result from an upgrade. So, for example, if you install software on a machine, you can approve the resulting changes using this new functionality. Tripwire Manager User Guide 85

104 Using Tripwire Manager To update the database file for a Tripwire for Servers machine: 1. Select a machine or group in the Machine List. 2. Select Machine > Update Database from the menu. To enlarge the Report Viewer, select View > Full Screen View. 3. In the Report Viewer, click on a violation in the left pane to see more detailed information. 4. Check the box for every violation in the report file that is a valid change. You can also use one of the following toolbar buttons: Selects all violations in the report. Deselects all violations in the report. Allows you to enter the minimum number of machines on which a particular violation must occur in order for that violation to be accepted as legitimate. This is useful when identical changes have been made to multiple machines, such as occurs with a patch update or software rollout. 86 Tripwire Manager User Guide

105 Using Tripwire Manager Approve by Template Approve by Severity 5. Click Update. Tripwire Manager User Guide 87

106 Using Tripwire Manager Approving All Violations Normally when updating the database on multiple machines, you must open all the reports, select all the violations, then update the database. If you already know you want to approve all violations on selected machines, and you do not need to examine the violations individually, you can use the Machine > Approve All Violations command to approve them all at once. This provides the shortest workflow for approving violations on multiple machines. To approve all violations: 1. Select a machine or group in the Machine List. 2. Select Machine > Approve All Violations. The Approve All Violations dialog opens. 3. Select Stop updating or Report and continue to choose how to handle errors that may occur while updating. 4. Click OK. 88 Tripwire Manager User Guide

107 Using Tripwire Manager Approve by Severity The Approve by Severity feature provides a way for users to approve violations based solely on their severity. To approve by severity from the Report Menu: 1. Select a machine or group in the Machine List. 2. Select Machine > Update Database from the menu. 3. Select Report > Approve by Severity from the menu. The Approve by Severity dialog box opens. 4. Set minimum and maximum levels for the Approve violations with a severity of... fields. The setting for minimum and maximum are retained from one execution to the next. 5. Uncheck Remove approval for all other violations (optional). This setting allows users to clear any checkboxes that are already set before the approval by severity is done. This setting is enabled, by default. To approve by severity from the Machine menu: For a shorter workflow, Users can approve by severity without examining each violation. 1. Select a machine or group in the Machine List. 2. Select Machine > Approve Violations > by Severity from the menu. The Approve operation is performed on the selected machine or group. Tripwire Manager User Guide 89

108 Using Tripwire Manager Approve by Template The Approve by Template feature provides a way for users to pre-approve violations. Violations are approved based on one of the following selectable matching modes: Matching the violated object's name and hash values, and the type of violation (added, removed, changed). This mode is valid with.twr files only. Matching the violated object's name (.txt and.twr files) Matching the Rulename the violations belongs to (.txt and.twr files) A template may be one of three kinds of files: Tripwire binary report file (.twr) Plain text file with individual items listed one per line (comment lines start with a # character) Classic level 1 parsable Tripwire report Approving by template using a binary report file: 1. Make a set of changes to one system, and determine that the resulting violations are to be trusted. 2. Click on Machine > Archive > Report File in the menu to preserve a copy of this report. 3. Make the expected changes to the targeted set of production servers. 4. Click Machine > Integrity Check to run integrity checks on the targeted production servers. 5. Open the resulting report files from those production servers for database update. 6. Select Approve By Template and specify the report file from step 1. All trusted changes from step 1 are automatically approved. 90 Tripwire Manager User Guide

109 Using Tripwire Manager Matching Modes Object Names and Hashes Must Match With this mode, you can approve a violation if the template file has a violation in it with exactly the same object name, hash value and type of violation: added, removed, or changed. This mode cannot be used with a text file template. You should monitor the same hash properties in the targeted machine s policy file as you are monitoring in the template file s source machine. If you don't monitor the same hashes, then the hashes should at least overlap. Directories and registry keys have no content of their own, and therefore no hashed values. Consequently, they are always approved in this mode. NOTE: Be aware that for Windows systems, alternate data streams are not a part of this matching process. NOTE: The comparison is case sensitive for UNIX machines, but not for Windows machines. NOTE: Event violations don t have a hash value. If you use a report file containing event violations in Object Name and Hash mode, the event violations will be approved. Violations can be approved only if the hash properties in the target machine s policy file are the same as in the template report. Only Object Names Must Match This mode compares each violated object s names to see if the same name is in the template file. The type of violation (added, removed, or changed) is not taken into consideration. U W The filename comparison is case-sensitive when approving violations for a UNIX machine. The filename comparison is not case-sensitive when approving violations for a Windows machine. Tripwire Manager User Guide 91

110 Using Tripwire Manager Only Rule Names Must Match In this mode, a violation is approved if a violation in a rule with the same name, is found in the template file. The comparison is not case sensitive. The type of violation (added, removed, or changed) is not taken into consideration. Be aware that more violations could be approved than are found in the template, because you are approving by Rule Name. For example, if a report file has 42 violations under a rule named MS Exchange, and the template file has 23 violations under a rule also named MS Exchange, then all 42 of those violations will be approved. 92 Tripwire Manager User Guide

111 Using Tripwire Manager Approving by template using the Report menu: This feature is available when a database update window is open. 1. Select a machine or group in the Machine List. 2. Select Machine > Update Database from the menu. 3. Choose Report > Approve by Template from the menu. The Approve by Template dialog box appears. NOTE: Your settings in the Approve by Template dialog box are retained from one execution to the next. 4. Select the desired approval matching criteria. Choose from the following options: Object names and hashes must match Only violated object names must match Only violated rule names muse match 5. Select the file to be used as the template. Click the ellipsis... button to specify a report or text file in the Open File dialog box. 6. Choose the file type you want from the Files of type: drop-down menu. 7. Specify that file's character encoding in the File encoding: field, if you are selecting a text file. 8. Check Remove approval for all other violations to clear any approved violation(s) that may already be set. 9. Click OK to finish the approval. The Results dialog box opens, showing a report of how many violations were approved, how many were not approved, and how many were in the template but not in the report. Tripwire Manager User Guide 93

112 Using Tripwire Manager Approving by template using the Machine menu: You can approve violations on a machine without opening its current report in a document window. Use one of the options from the Machine > Approve Violations menu, to perform an approve operation on the selected machine. 1. Select a machine or group in the Machine List. 2. Select Machine > Approve Violations, and then choose by Template. 3. Select the desired approval matching criteria. Choose from the following options: Object names and hashes must match Only violated object names must match Only violated rule names must match 4. Click OK. Results appear in the output window. 94 Tripwire Manager User Guide

113 Changing Configuration Options Using Tripwire Manager The configuration file controls many aspects of Tripwire for Servers operation, including: location of Tripwire files settings it uses to send reports information written to log files the way it performs integrity checks See the Tripwire Reference Guide for a complete explanation of the parameters in the configuration file. To edit the configuration file for a machine: 1. Select a machine or group from the Machine List. 2. Select Machine > Edit Configuration File. 3. Edit the parameters in the configuration file. Consult the Tripwire Reference Guide for detailed information on configuration file parameters. 4. Select File > Save to Machine to install the configuration file on the machine it originated from. To distribute the configuration file to multiple machines: 1. Select a machine or group in the Machine List. 2. Select Machine > Distribute File. 3. Verify the target machines 4. Click OK. Tripwire Manager User Guide 95

114 Using Tripwire Manager Distributing an Integrity System Tripwire Manager provides a method for you to distribute an integrity system to selected servers in your network from a single source. An integrity system is the six core Tripwire for Servers files: policy file database file configuration file schedule file (optional) site key local key By distributing an integrity system you can: Create a template for integrity data that you can use repeatedly, whenever you add a new machine to your database. Update the integrity system on multiple machines simultaneously. Experiment with different integrity system data for a particular machine, while maintaining a safe backup integrity system to which you can revert at any time. To distribute an integrity system successfully, the target server must have the same operating system and identically-named integrity system files. NOTE: When Tripwire Manager distributes the new integrity system, the existing six files are saved and renamed with a.bak extension. 96 Tripwire Manager User Guide

115 Using Tripwire Manager To acquire an integrity system from a server: 1. Select the machine with the source integrity system. 2. Choose Machine > Open Integrity System. 3. If the passphrases for the selected machine are not stored locally, you must enter them at the prompt. These passphrases become the passphrases for the acquired integrity system. 4. Add comments (optional) to the Memo pane of the window. If you want, you can save the integrity system locally by choosing the Save icon on the toolbar, or by choosing File > Save. If you save the integrity system locally, Tripwire Manager creates a.twi file. At this point, you can distribute the integrity system to other servers. To distribute an integrity system to multiple target servers: 1. Acquire an integrity system from a server as described above. or Open a.twi file. 2. Select the target machines you want to receive the new integrity system. 3. Click Distribute File. Tripwire Manager distributes the integrity system to the selected target machines. 4. Tripwire Manager will prompt you for passphrases that are not stored locally. You must enter the current passphrases before the integrity system is distributed. NOTE: Encrypted versions of the site and local passphrases are stored along with the files in an integrity system. When you distribute an integrity system, the target machine s site and local passphrases are changed to match the associated passphrases in the source integrity system. Also note that locally-stored passphrases for the target machine are replaced by the new passphrases. Tripwire Manager User Guide 97

116 Using Tripwire Manager Archiving Files You can archive report files, policy files, configuration files, schedule files, or integrity systems. This lets you back up your Tripwire data. Typically, the most useful files to archive are reports and integrity systems. Archive filenames use the format $(HOSTNAME)-$(DATE).appropriate-extension. $(DATE) is the time/date on the Tripwire Manager box at the time the archive begins. For example: webserver twr. NOTE: The archive operation uses the same encoding as the most recent Open or Save locally as operation you have performed. To archive integrity systems: 1. Right-click a machine or group in the Machine List. 2. Select Archive > Integrity Systems from the context menu. The Choose the destination directory dialog opens. 3. Navigate to a directory and click Choose Directory. A progress dialog appears and archiving occurs. To archive reports: 1. Right-click a machine or group in the Machine List. 2. Select Archive > Report Files from the context menu. The Choose the destination directory dialog opens. 3. Navigate to a directory and click Choose Directory. A progress dialog appears and archiving occurs. 98 Tripwire Manager User Guide

117 Using Tripwire Manager Changing Passphrases Important Tripwire files are cryptographically signed and protected with a passphrase. You can change the passphrases for Tripwire Manager or Tripwire for Servers machines at any time. When you change a passphrase, you must assign a passphrase that adheres to the following rules: The passphrase must consist of at least 8 characters. It must contain at least one alphabetic character (a-z, A-Z) or a space character. It must contain at least one other printable character that is not alphabetic. The Tripwire Manager passphrase is cached for 5 minutes (by default) after the Manager passphrase is entered. The passphrase timeout can be adjusted. See the Appendix for more information on security measures in the Tripwire Manager system. To change the time interval for retaining a Manager passphrase: 1. Select View > Preferences. 2. Choose the Timeouts tab. 3. Enter a time interval (in minutes) for the passphrase timeout. 4. Click OK. To change the Manager passphrase: 1. Select Manager > Change Tripwire Manager Passphrase. 2. Enter the current Manager console passphrase, then enter and verify a new passphrase. 3. Click OK to implement the change. Tripwire Manager User Guide 99

118 Using Tripwire Manager To change the site or local passphrase for a machine: 1. Select a machine or group from the Machine List. 2. Select Machine > Passphrases > then, Change Machine Site Passphrase or Change Machine Local Passphrase. 3. Enter the current site or local passphrase for the machine, then enter and verify a new site or local passphrase. 4. Click OK to implement the change. 100 Tripwire Manager User Guide

119 Using Tripwire Manager Verifying Passphrases To verify site and local passphrases: 1. Select any number of machines or machine groups from the machine list. 2. Select Machine > Passphrases > Verify Machine Site and Local Passphrases from the menu. Tripwire Manager requests verification from each machine. The Verify Site and Local Passphrases results dialog box appears containing the results of the verifications. 3. Any passphrases listed as Unverified require your attention. Determine whether or not this was an expected result. If Yes, remove and reregister the machines. If No, work within your requirements to correct the situation. 4. Click OK to close the dialog box. Tripwire Manager User Guide 101

120 Using Tripwire Manager Sending Notifications Notifications allow Tripwire Manager to automatically take an action when a registered machine s Tripwire Agent goes down or has new integrity data. Tripwire Manager supports the following notification actions: Send (page 104) Execute a Launch Command (page 105) Archive Reports (page 106) WARNING: Tripwire Manager only sends notifications while it is running. For notifications to continue functioning, you must keep Tripwire Manager running all the time. If you close Tripwire Manager, it can no longer send notifications. You can set a time interval in minutes that Tripwire Manager will wait between sending notifications. If any machines go down or finish integrity checks containing new data within this time interval, Tripwire Manager summarizes the activity in a single notification instead of sending a separate notification for each machine. However, notifications that execute a launch command with Machine context still execute a separate command for each machine requiring notification (see page 105). Notification Triggers Notification triggers determine when Tripwire Manager sends notifications. The Down Machine trigger happens when a registered machine s Agent is not responding. The New Integrity Data trigger happens when a registered machine has new integrity data. If you disable both triggers, Tripwire Manager sends no notifications. 102 Tripwire Manager User Guide

121 Using Tripwire Manager Configuring Notifications To configure notifications: 1. Select View > Preferences. 2. Select the Notification tab. 3. Check the notification triggers you want to use. 4. Check the notification mechanisms you want to use. If you check Send , also configure the options in the tab of the Preferences dialog. If you check Execute Command, choose a launch command with the right context to execute. For more information on Launch Commands, see page 105. If you check Archive Report, select a destination directory for the archived files. 5. Set the Time Interval to the number of minutes you want Tripwire Manager to wait between notifications. 6. Click OK. Tripwire Manager User Guide 103

122 Using Tripwire Manager Notify by Send Tripwire Manager can send when a notification trigger occurs. The subject line of the explains how many machines were involved. Example: Subject: Notification about 7 Agents. If the notification is in response to down machines, the body of the lists the names of machines that have gone down. If the notification is in response to new integrity data, the body of the lists the names of machines with new integrity data and provides brief summary information about the changes on each machine as a level 0 report. To notify by sending 1. Select View > Preferences. 2. Click the Notification tab. 3. Select one or more notification triggers. 4. Select Send Select the tab. 6. Enter a value for SMTP Server. 7. Enter a value for SMTP Port. 8. Enter a value for To Addresses. 9. Enter a value for From Address. 10. Click OK. 104 Tripwire Manager User Guide

123 Using Tripwire Manager Notify by Execute Command You can use a launch command (page 130) for notification. You can only select commands with Global or Machine context as a notification mechanism. When Tripwire Manager executes a command with Machine context, the command executes for every machine requiring notification. To notify by executing a launch command: 1. Create at least one launch command (page 130). 2. Select View > Preferences. 3. Click the Notification tab. 4. Select one or more notification triggers. 5. Select Execute Command. 6. Select a launch command from the list. 7. Click OK. Tripwire Manager User Guide 105

124 Using Tripwire Manager Notify by Archive Report Tripwire Manager can automatically archive a copy of the Tripwire for Servers binary report file when new integrity data arrives. This allows you to archive report files automatically instead of manually (page 98). To notify by archiving the report: 1. Select View > Preferences. 2. Click the Notification tab. 3. Select New integrity data as a notification trigger. 4. Select Archive Report. 5. Select a destination directory for the archived file. 6. Click OK. 106 Tripwire Manager User Guide

125 Using Tripwire Manager Troubleshooting This section describes some common problems with Tripwire Manager and the steps to resolve them. If you still have problems, contact Tripwire Technical Support: website: toll-free: TWSUPPORT (6am-6pm Pacific) phone: Registration Problems When registering or unregistering Tripwire for Servers machines, the Tripwire Manager and Tripwire for Servers machines exchange authentication keys to facilitate secure communication. If either of these processes is disrupted (the network link is broken, you enter a passphrase incorrectly, etc) you cannot connect to that machine. Solution: Unregister, and then re-register the machine. WARNING: If you have a second Tripwire Manager machine that you want to have the same agent registered to as the first machine, select the machine, and then Manager > Synchronize Machine from the menu. Do not copy the console.dat or console.key file between any two machine installations of Tripwire Manager. Tripwire Manager User Guide 107

126 Using Tripwire Manager Connection Problems A number of things can cause connection problems with Tripwire for Servers machines. The error type is displayed in the Machine List. Network Error Tripwire Manager s attempts to contact the machine failed. Solution: Check that Tripwire Agent is running on this machine, and that the machine name, IP address, and port specified for the machine are correct. Verify the Agent configuration file agent.cfg has not changed. Connection Error There was a problem with the networking protocol. Solution: First, try to refresh the status of the Tripwire for Servers machine by right-clicking the machine and selecting Refresh Status from the context menu. If the Machine List shows frequent connection errors, you may want to adjust the timeouts settings in the Preferences dialog (page 48). Users with networks where delays in network communications are normal may want to increase the timeout values. Authentication Failure The authentication handshake failed, meaning that the authorization key on either the Tripwire Manager or the Tripwire for Servers machine is corrupted. Solution: Unregister the machine, then re-register the machine. 108 Tripwire Manager User Guide

127 Using Tripwire Manager Resolving Database Update Problems You may encounter errors when updating the database file if: the report file used to update the database file has already been used to update the database file the report file used to update the database file was generated using a different database file than the database being updated the database file has been updated with a more recent report file By default, when Tripwire Manager encounters errors during a database update, it prints the errors to the Output Window, then exits without updating the database file. Solution: If there is no other way to update the database file, force the database update by changing the On Error setting at the bottom of the Database Update dialog. If you change this setting to Report and Continue, Tripwire Manager will update the database file with the new information. Because the errors listed above can lead to corruption of the database file, we recommend that you always update the database file using the default Stop Updating option. Tripwire Manager User Guide 109

128

129 4 Integrating with Other Applications This section explains how to use Tripwire Manager features to integrate with external applications. You can launch Tripwire Manager from external applications (page 113), or other applications from within Tripwire Manager (page 130).

130

131 Integrating with Other Applications Launching Manager From External Applications Introduction Tripwire Manager s general design is based on the assumption that you can execute a command line to extend most third-party systems. For example, these can be used to produce specific responses in an EMS console, or in trouble-ticketing systems, in response to specific kinds of errors. Launching Tripwire Manager in context means that you launch Tripwire Manager, supplying command-line parameters that cause it to perform an action such as to view a particular report or run integrity checks. This is as opposed to launching Tripwire Manager normally which just displays the main screen. If you launch Tripwire Manager in context, and you already have Tripwire Manager open (running) on the same machine, then Tripwire Manager will attempt to perform the requested actions using the alreadyopen copy of Tripwire Manager. It will not open a new copy. If performing a given operation manually requires entering the console passphrase, Launch in Context will also require it. Tripwire Manager User Guide 113

132 Integrating with Other Applications Command Reference This section provides a list of the commands that can be included on the command line together with a description of the arguments to those commands. IMPORTANT: All context command line options are case sensitive and any context command line options that are not recognized cause an error to appear in the output window. Machine Lists Several of the commands take a list of machines as their argument. A machine list is a semi-colon separated list of group names, machine names or IP addresses. Use the group name and the machine name as each appears in the Tripwire Manager Machine List window. The required IP address is a standard dot-separated IP address. See the following syntax: TW_Manager -viewreports {group_name, machine_name, ip_address}[;... ] For example: TW_Manager -viewreports "IT Services;WebServer" TW_Manager -viewreports " ;Web Services" TW_Manager -viewreports " ; ; " 114 Tripwire Manager User Guide

133 Integrating with Other Applications Launch in Context Commands The Launch In Context (LIC) command uses qualifiers to allow immediate command execution without user intervention. Launch in Context commands can be placed anywhere on the command line. Types of Launch in Context Commands Qualifier Qualifier Launch in Context commands do not directly cause Tripwire Manager to perform an action. Instead, they provide TM with information that is necessary when the it executes immediate LICs. There are three Qualifier Launch in context commands: managerpassphase <PasshraseText> user <usertext> reason <reasontext> Use managerpassphrase to supply Tripwire Manager with its manager passphrase. When audit logging is enabled use -user <usertext> and -reason <reasontext>, to supply Tripwire Manager with a user and reason for the action being performed. Tripwire Manager User Guide 115

134 Integrating with Other Applications Immediate Immediate commands execute without requiring user responses. Error dialogs that require approval will not be displayed; errors and messages go to the output window. Use immediate commands, such as -integritychecknow <Machines> -managerpassphrase <p> to cause Tripwire Manager to perform an integrity check without user intervention. User User commands prepare Tripwire Manager for actions. For example, entering -updatedatabase Group causes the Update Database window to appear. It is automatically ready for the user to select approved violations. 116 Tripwire Manager User Guide

135 Integrating with Other Applications Understanding the Arguments Below is information about what arguments are, and what they require to work. You will want to read through this information first, in order to fully understand the Launch in Context commands. Argument <AddMachineSpecList> <DestDir> <ErrorAction> Detail Semi-colon separated list of machine specifications. See page 118 for examples Destination Directory where information is stored Stop - Stop updating Continue - Report and continue <LaunchAppsCommand> <Machines> <Max> <Min> <ObjectSpecification> <TemplateMode> Name of the launch command as it appears in the Tripwire Manager menu Semicolon separated list of machine names, group names, or IP addresses Number representing the highest severity to include Number representing the lowest severity to include Machine name or IP address: Object: Filename or Registry entry name. See page 119 for examples ObjNameAndHash - Object names and hashes must match ObjName - Only violated object names must match RuleName - Only violated rule names must match <TemplateFileName> Fully qualified pathname to a template file. Tripwire Manager User Guide 117

136 Integrating with Other Applications Launch in Context Commands Every Launch in Context command consists of an command and its associated argument. Multiple arguments are separated by a colon. Immediate LIC Commands Command Argument Function -approveall <Machines>: <ErrorAction> Perform an Update Database on all machines in the machine list approving all violations. Requires -managerpassphrase -approvebyseverity -approvebytemplate <Machines>:<Min>:<Max> :<ErrorAction> Perform an Update Database on all machines in the machine list approving by severity. Requires -managerpassphrase <Machines>: Perform an update <TemplateMode>: database on all <templatefilename>:<error machines in the Action> machine list approving by template. Requires -managerpassphrase -archiveconfigurationfiles <Machines>:<DestDir> Archive the configuration files of the machines in the machine list -archiveintegritysystems <Machines>:<DestDir> Archive the integrity systems of the machines in the machine list. Requires -managerpassphrase 118 Tripwire Manager User Guide

137 Integrating with Other Applications Immediate LIC Commands, continued Command Argument Function -archivepolicyfiles <Machines>:<DestDir> Archive the policy files of the machines in the machine list -archivereportfiles <Machines>:<DestDir> Archive the report files of the machines in the machine list -archiveschedulefiles <Machines>:<DestDir> Archive the schedule files of the machines in the machine list -integritychecknow <Machines> Perform integrity checks on the machine list without user intervention -launch <LaunchAppsCommand> Launch a Launch Applications TM command. Requires -managerpassphrase Tripwire Manager User Guide 119

138 Integrating with Other Applications User LIC Commands Command Argument Function -addmachines <addmachinespeclist> Display and populate the Add machines dialog with machine information -editconfiguration <Machines> Display the configuration files of the machines from the machine list -editintegritysystem <Machines> Display the integrity systems of the machines from the machine list -editpolicy <Machines> Display the policy files of the machines from the machine list -editschedule <Machines> Display the schedule files of the machines from the machine list -integritycheck <Machines> Perform integrity checks, with user intervention, on the machine list -selectinreport <ObjectSpecification> Select a specific object in a report -updatedatabase <Machines> Display the Update Database editor -verifypassphrases <Machines> Verify the site and local passphrases for the machine list 120 Tripwire Manager User Guide

139 Integrating with Other Applications The commands listed below all use the Qualifier LIC command type. Qualifier LIC Commands Command Argument Function -managerpassphrase <MangerPassphrase> Supplies TM with a managerpassphrase -reason <Reason> Specify an audit reason for audit logging -user <User> Specify an audit user for audit logging Certain Immediate LICs require qualifiers when audit logging is enabled and actions require it. For example, Integrity Check Now and all Approve by actions. Manager Passphrase Command The Manager Passphrase command is required for immediate LIC commands. Example of syntax: -integritychecknow <machines> -managerpassphrase <p> -approvebyseverity <machines>:<min>:<max>:<erroraction> -managerpassphrase <p> Example commands./tw_manager -integritychecknow webservers -managerpassphrase manager123 -approvebyseverity webservers:0:32:stop -managerpassphrase manager123 Tripwire Manager User Guide 121

140 Integrating with Other Applications -User and -Reason Commands The Manager Passphrase command is required for immediate LIC commands, when Tripwire Manager audit log is enabled. Example of syntax: -approveall <machines>:<erroraction> -managerpassphrase <p> -user <u> -reason <r> -approvebytemplate <machines>:<templatemode>:<templatefilename>:<erroraction> -managerpassphrase <p> -user <u> -reason <r> Example commands:./tw_manager -approveall webservers:stop -managerpassphrase manager123 -user admin -reason updatedb./tw_manager -approvebytemplate webservers:objnameandhash:/usr/local/ tripwire/manager/report.twr:stop -managerpassphrase manager123 -user admin -reason updatedb 122 Tripwire Manager User Guide

141 Integrating with Other Applications Approve All Command The Approve All Violations command has the following syntax: -approveall <Machines> -managerpassphrase <ManagerPassphrase> All violations are approved for each of the specified machines in the machine list. Approve by Severity Command The Approve by Severity command has the following syntax: -approvebyseverity <machines>:<min>:<max>:<erroraction> -managerpassphrase <ManagerPassphrase> All violations in the specified severity range are approved on all machines in the machine list. Approve by Template Command The Approve by Template command has the following syntax: -approvebytemplate <Machines>:<TemplateMode>:<reportFileName>:<ErrorAction> -managerpassphrase <ManagerPassphrase> All matching violations are approved on all machines in the machine list. Archive Configuration Files Command The Archive Configuration Files command has the following syntax: -archiveconfigurationfiles <Machines>:<DestDir> All configuration files of the machines in the machine list are archived. Tripwire Manager User Guide 123

142 Integrating with Other Applications Archive Integrity Systems Command The Archive Integrity Systems command has the following syntax: <Machines>:<DestDir> -managerpassphrase <ManagerPassphrase> All integrity systems of the machines in the machine list are archived. Archive Policy Files Command The Archive Policy Files command has the following syntax: -archivepolicyfiles <Machines>:<DestDir> All policy files of the machines in the machine list are archived. Archive Report Files Command The Archive Report Files command has the following syntax: -archivereportfiles <Machines>:<DestDir> All report files of the machines in the machine list are archived. Archive Schedule Files -archiveschedulefiles <Machines>:<DestDir> All schedule files of the machines in the machine list are archived. Edit Configuration Command The Edit Configuration command has the following syntax: -editconfiguration <Machines> 124 Tripwire Manager User Guide

143 Integrating with Other Applications This command causes the configuration file for each of the specified machines to be opened in a Configuration File Editor. Edit Policy Command The Edit Policy command has the following syntax: -editpolicy <Machines> This command causes the policy file for each of the specified machines to be opened in a Policy File Editor. Edit Schedule Command The Edit Schedule command has the following syntax: -editschedule <Machines> This command causes the schedule file for each of the specified machines to be opened in a Schedule File Editor. Edit Integrity System Command The Edit Integrity System command has the following syntax: -editintegritysystem <Machines> This command causes the integrity system for each of the specified machines to be opened in an Integrity System Editor. NOTE: Tripwire Manager may prompt for a console passphrase when launched in this context because the edit integrity system action requires a console passphrase. Tripwire Manager User Guide 125

144 Integrating with Other Applications Integrity Check Command The Integrity Check Command has the following syntax: -integritycheck <Machines> This command opens an Integrity Check dialog in which the user can specify the parameters of the integrity check operation to perform on each of the specified machines. Integrity Check Now Command The Integrity Check Now Command had the following syntax: -integritychecknow <Machines> -managerpassphrase <ManagerPassphrase> This command causes integrity check to be performed on the machine list, without user intervention. If auditlogging is enabled, you must use the following syntax: -integritychecknow <Machines> -managerpassphrase <ManagerPassphrase>user <User> -reason <Reason> Launch Command The Launch command has the following syntax: -launch <LaunchAppsCommand> -managerpassphrase <ManagerPassphrase> This command causes a Launch Applications TM command to launch. 126 Tripwire Manager User Guide

145 Integrating with Other Applications Update Database Command The Update Database command has the following syntax: -updatedatabase <Machines> This command opens the Database Update window for each of the specified machines. Verify Passphrases Command The Verify Passphrases command has the following syntax: -verifypassphrases <Machines> This command verifies the site and local passphrases for each of the specified machines. View Reports Command The View Report command has the following syntax: -viewreports <Machines> This command causes the report file for each of the specified machines to be opened in a Report File Viewer. Tripwire Manager User Guide 127

146 Integrating with Other Applications Add Machines Command The Add Machines command has the following syntax: -addmachines machine_name[,group_name[,address[,port[,memo]]]][;... ] For Example: TW_Manager -addmachines AppServer TW_Manager -addmachines "AppServer,IT Group, ,1169,memo" Individual items that contain spaces must be quoted. Use a semi-colon separated list of information about the machines to be registered. The information must include at least a machine name but may also include the group name, the IP address, the port number for the machine, and a memo field. The command will cause the Add Machines dialog to be opened with one entry in the machine list for each set of machine information that was provided. 128 Tripwire Manager User Guide

147 Integrating with Other Applications Select in Report Command The Select In Report command has the following syntax: -selectinreport (machine name or IP address):object name For example: TW_Manager -selectinreport AppServer:/etc/hosts TW_Manager -selectinreport :'C:\config.sys' This command causes the violation associated with the specified object to be selected. If there is a Database Update window or Report File Viewer open with the report for the specified machine already in it, the violation is selected in that window. Otherwise, a Report File Viewer is opened on the report from the specified machine and the violation is selected. Tripwire Manager User Guide 129

148 Integrating with Other Applications Launching External Applications Overview Launch Commands provide a way to integrate Tripwire Manager with external applications. Command line Launch Commands enable Tripwire Manager to launch external applications (page 130). Launch Commands send from Tripwire Manager (page 132). You can execute Launch Commands from the toolbar, from the Launch menu, or by configuring Tripwire Manager to execute Launch Commands as a notification method (page 102). Launch commands execute within a Launch Context (page 136). The Launch Context determines which parameters the command can pass to external applications. See page 146 for the Launch Command Parameter List. The process of designing Launch Commands is similar to shell programming. Expect to spend some time testing and debugging your Launch Commands. 130 Tripwire Manager User Guide

149 Integrating with Other Applications Types of Launch Commands General Attributes All launch commands have the following attributes: Name This is the name of the launch command that will be displayed within the user interface. This name appears, for example, on the launch command menu item used to execute the launch command. Toolbar Label This is the label that displays on the toolbar button used to execute the launch command. A short name for this label helps conserve screen space on the toolbar. Context The context is used to specify the state of the Manager that is required in order for the launch command to be executable. Command line launch command A command line launch command is a launch command that executes an external application when it is executed. The external application is specified using command line syntax. Command Arguments The command is the system command that will be executed. The user may browse to a specific command or directly enter the name of an existing executable or script. This often contains Launch Command Parameters, and may be any parameterized text. This text is passed to the command specified in the Command field. Tripwire Manager User Guide 131

150 Integrating with Other Applications Tripwire Manager scans the argument text and substitutes any Launch Command containing stored parameters that it finds. Launch Command Parameters that contain a m* executes once for each selected item. If this generates multiple commands, each command will be executed serially. launch command An launch command is a launch command that will send when it is executed. To Addresses A semicolon-separated list of the addresses of the recipients of the . From Address The address of the sender of the . Subject Body The subject line for the . Tripwire Manager replaces valid Launch Command Parameters found here with their values. The body of the . Tripwire Manager replaces valid Launch Command Parameters here with their values. This may generate s. NOTE: In order for the launch command to work, you must already have configured the notification parameters. 132 Tripwire Manager User Guide

151 Integrating with Other Applications Working with Launch Commands Creating Launch Commands To create a new command line Launch Command: 1. Select Launch > Edit Launch Commands. or Right-click an active Launch Command tool bar button and select Edit or Properties. 2. Click New Command Line. The Command Line Launch Command Properties dialog opens. 3. Fill in values for the new Launch Command 4. Click OK. To create a new Launch Command: 1. Select Launch > Edit Launch Commands. or Right-click an active Launch Command tool bar button and select Edit or Properties. 2. Click New . The Command Line Launch Command Properties dialog opens. 3. Fill in values for the new Launch Command. 4. Click OK. Tripwire Manager User Guide 133

152 Integrating with Other Applications Executing Launch Commands Launch commands become enabled or disabled depending upon the user interface context of Tripwire Manager. See Launch Contexts on page 116. To execute a Launch Command: 1. Click the Launch Command s button in the toolbar. or Select the desired command from the Launch menu. Modifying Launch Commands To modify an existing launch command: 1. Right-click an enabled command s button in the toolbar and select Properties from the context menu. or 1. Select Launch > Edit Launch Commands. The Edit Launch Commands dialog box opens. 2. Double-click the Launch Command you want to edit. The Properties dialog box opens. 134 Tripwire Manager User Guide

153 Integrating with Other Applications Deleting Launch Commands To delete a launch command: 1. Select Launch > Edit Launch Commands. or Right-click an active Launch Command tool bar button and select Edit Launch Commands. 2. Select the Launch Commands you want to delete. 3. Click Delete. 4. Click Yes. Exporting Launch Commands You can export Launch Commands to a plain text file in order to share them among multiple installations of Tripwire Manager. Do not hand-edit these files. To export launch commands: 1. Select Launch > Export Launch Commands. The Save dialog box opens. 2. Choose a destination file name. 3. Click Save. Importing Launch Commands To import launch commands: 1. Select Launch > Import Launch Commands. The Open dialog opens. 2. Select an import file. 3. Click Open. Tripwire Manager User Guide 135

154 Integrating with Other Applications Launch Contexts The launch context setting determines when you can execute the Launch Command and what information it can pass to an external application. Tripwire Manager can also execute Launch Commands as notifications. 136 Tripwire Manager User Guide

155 Integrating with Other Applications Launch Commands You can execute a Launch Command when the conditions for that command's Launch Context are fulfilled. Each Launch Context provides a set of parameters that the launch command can pass to an external application. Launch Context Conditions Global Always available Machine List Report List Report Update Database Rule Block Violation One or more machines is selected in the machine window Reports are open for viewing or for database update Report viewer or Database Update window is active and a report, or item under a report is selected Database Update window is active Report viewer or Database Update window is open and the reports tab, and rule block or violation is selected Report viewer or Database Update window is active and a violation is selected More than one launch context can be active at the same time. For example, when the report viewer is active and a report is selected, this fulfills the conditions for the following launch contexts: Global Context (because Global Context always applies) Report List Context (because the report viewer is active) Report Context (because the report viewer is active and a report is selected) Tripwire Manager User Guide 137

156 Integrating with Other Applications Global Context You can execute a launch command with global context at any time. Global context supports the following parameters: %M This parameter is replaced by the HTML code that is a current manager report. %T This parameter is replaced by the full path to a temporary file containing an HTML file that is a current manager report generated when the launch command is executed. Tripwire Manager does not remove these files when it exits, so you must remove them manually. %U Name of user under which Tripwire Manager process is currently running. 138 Tripwire Manager User Guide

157 Integrating with Other Applications Machine List Context You can execute a launch command with machine context when you have selected one or more machines in the Machine window. Note that %m* executes the launch or command once for each selected machine. Machine list context supports the following parameters: %c This parameter is replaced by the number of selected machines, expressed as a decimal integer without punctuation. %G This parameter is replaced by the name of a file containing the group/machinename list. %g This parameter is replaced by a group/machinename list. %I This parameter is replaced by a file containing machine IP list. %i This parameter is replaced by a newline-delimited list of the IP addresses of the selected machines. %m*.x This parameter is replaced by the value of the machine detail specified by X. %n This parameter is replaced by a newline-delimited list of the names of the selected machines. The order of the names is not guaranteed, but the names will always be listed in the same order as the IP addresses of the selected machines as represented by the %i parameter. %N This parameter is replaced by a temporary file name containing a list of machines that are selected, down, or have new integrity data Tripwire Manager User Guide 139

158 Integrating with Other Applications Report List Context You can execute a launch command with report list context when the report viewer or Database Update window is active. Report list context supports the following parameters: %Ln (n=0..4) %Fn (n=0..4) This parameter is replaced by the concatenated text of all reports displayed, which can otherwise be too large. The parameter name must be followed by an integer from zero (0) to four (4) that indicates the level of reports to be generated. For example %L2 would be replaced by the text of all level 2 reports for the displayed reports. This parameter is replaced by the name of a temporary file containing the concatenated text of all reports generated from the displayed reports. The parameter name must be followed by an integer from zero (0) to four (4) that indicates the level of reports to be generated. For example %F2 would be replaced by the name of a temporary file containing the text of all level 2 reports. Note that when level 1,2,3, or 4 reports are concatenated, each report in the concatenation starts with a level zero report as a header. 140 Tripwire Manager User Guide

159 Integrating with Other Applications Report Context You can execute a launch command with report context when the report viewer or Database Update window is active and a report, or item under a report is selected in the window. Report context supports the following parameters: %rl (L=0..4) %tl (L=0..4) %R.X This parameter is replaced by the text of a report generated from the selected report. The parameter name must be followed by an integer from zero (0) to four (4) that indicates the level of report to be generated. For example %r2 would be replaced by the text of a level 2 report. This parameter is replaced by the name of a temporary file containing the text of a report generated from the given report. The parameter name must be followed by an integer from zero (0) to four (4) that indicates the level of report to be generated. For example %t2 would be replaced by the name of a temporary file containing the text of a level 2 report. This parameter is replaced by the value of the report detail specified by X, which can otherwise be too large. %S This parameter is replaced by the name of the machine on which the report was generated. Tripwire Manager User Guide 141

160 Integrating with Other Applications Rule Block Context You can execute a launch command with rule block context when the report viewer or Database Update window is open, the reports tab is visible, and a rule block or violation is selected. Rule context supports the following parameters: %B.X These parameters are replaced by Rule block information as given by x. 142 Tripwire Manager User Guide

161 Integrating with Other Applications Update Database Context You can use update database context to specify a Tripwire Manager context which is active when the Manager displays a Database Update window. Update Database context supports the following parameters: %Fni (n=0..4) %Fne (n=0..4) %Lni (n=0..4) %Lne (n=0..4) This parameter is replaced by the name of a temporary file that contains a level n report containing information on elements included for update This parameter is replaced by the name of temporary file that contains a level n report containing information on elements excluded from the update This parameter is replaced by the concatenation of level n reports containing information on elements included for update This parameter is replaced by the concatenation of level n reports containing information on elements excluded from the update %S This parameter is replaced by the name of the machine on which the report was generated. Tripwire Manager User Guide 143

162 Integrating with Other Applications Violation Context You can execute a launch command with violation context when the report viewer or Database Update window is active and a violation is selected in the window. Violation context supports the following parameters: %V.X This parameter is replaced by the value of the violation detail specified by X. 144 Tripwire Manager User Guide

163 Integrating with Other Applications Launch Command Parameters When Tripwire Manager encounters parameters within a Launch Context that is valid for that parameter, it replaces them with a value. When Tripwire Manager encounters parameters outside their legal Launch Contexts, it evaluates them instead of replacing them with a value. Some parameters produce values that contain spaces, new lines, quotes, etc. Though these values work in the body of an , values containing these characters may affect command line option behavior and in some cases the subject line of an . In some cases,%r0 for example, you may wish to pass a parameter's values as a single command line option (by quoting the parameter specification) or as a set of values (by not quoting the parameter specification). This depends upon what the command line script is expecting. Microsoft Outlook may wrap parameter values delimited by newlines. Set Outlook menu item Format > Unwrap Text to see the correct representation of a multi-line value as generated by Tripwire. Parameters with numeric values, for example %m*.v (violation count), may return a question mark (?) if Tripwire Manager cannot determine the value. That is, when Tripwire Manager's Machines would display an ellipsis (...). Tripwire Manager User Guide 145

164 Integrating with Other Applications Launch Command Parameter List The tables on the following pages contain an alphabetical reference to parameters.use the following key to understand the abbreviations in those tables: G - Global ML - Machine List RL - Report List UD - Update Database R - Report V - Violations RB - Rule Block 146 Tripwire Manager User Guide

165 Integrating with Other Applications Param Description Context Use Command Line subject body %B.a the added object count RB x x x %B.c the changed object count RB x x x %B.e the number of errors RB x x x %B.m the address list of this rule block %B.M name of a temporary file of the list of RB x x x addresses %B.n the name of the rule block RB x x x %B.o %B.O list of objects under the currently selected rule block name of a temporary file of a list of the objects under currently selected rule block RB RB RB x x x %B.r the removed object count RB x x x %B.v the number of violations in the rule RB x x x block %B.x the rule block severity RB x x x %c the number of selected machines ML x x x %F0 name of temporary file containing concatenation of level 0 reports %F0e %F0i name of temporary file containing concatenation of level 0 reports, excluding selected violations name of temporary file containing concatenation of level 0 reports, including selected violations RL x x x UD x x x UD x x x x x Tripwire Manager User Guide 147

166 Integrating with Other Applications Param Description Context Use Command Line subject body %F1 name of temporary file containing concatenation of level 1 reports %F1e %F1i name of temporary file containing concatenation of level 1 reports, excluding selected violations name of temporary file containing concatenation of level 1 reports, including selected violations %F2 name of temporary file containing concatenation of level 2 reports %F2e %F2i name of temporary file containing concatenation of level 2 reports, excluding selected violations name of temporary file containing concatenation of level 2 reports, including selected violations %F3 name of temporary file containing concatenation of level 3 reports %F3e %F3i name of temporary file containing concatenation of level 3 reports, excluding selected violations name of temporary file containing concatenation of level 3 reports, including selected violations %F4 name of temporary file containing concatenation of level 4 reports %F4e name of temporary file containing concatenation of level 4 reports, excluding selected violations % F4i name of temporary file containing concatenation of level 4 reports, including selected violations RL x x x UD x x x UD x x x RL x x x UD x x x UD x x x RL x x x UD x x x UD x x x RL x x x UD x x x UD x x x %g group/machinename list ML x 148 Tripwire Manager User Guide

167 Integrating with Other Applications Param Description Context Use Command Line subject body %G name of a temporary file containing the group/machinename list ML x x x %i IP address list ML x %I temporary file containing machine IP list ML x x x %L0 concatenation of level 0 reports RL x %L0e concatenation of level 0 reports, excluding selected violations %L0i concatenation of level 0 reports, UD x including selected violations %L1 concatenation of level 1 reports RL x %L1e concatenation of level 1 reports, excluding selected violations %L1i concatenation of level 1 reports, UD x including selected violations %L2 concatenation of level 2 reports RL x %L2e concatenation of level 2 reports, excluding selected violations %L2i concatenation of level 2 reports, UD x including selected violations %L3 concatenation of level 3 reports RL x %L3e concatenation of level 3 report, excluding selected violations %L3i concatenation of level 3 reports, UD x including selected violations %L4 concatenation of level 4 reports RL x %L4e concatenation of level 4 reports, excluding selected violations UD UD UD UD UD x x x x x Tripwire Manager User Guide 149

168 Integrating with Other Applications Param Description Context Use Command Line subject body %L4i concatenation of level 4 reports, UD x including selected violations %M Manager Report HTML content G x %m*.a added violation count ML x x x %m*.c changed violation count ML x x x %m*.d report date ML x x x %m*.g group path ML x x x %m*.h high violation count ML x x x %m*.i IP address ML x x x %m*.l low violation count ML x x x %m*.m medium violation count ML x x x %m*.n machine name ML x x x %m*.o memo ML x x x %m*.o operating system name ML x x x %m*.p port number ML x x x %m*.r removed violation count ML x x x %m*.s connection status ML x x x %m*.v violation count ML x x x %m*.x maximum severity ML x x x %n list of machines that are selected / down / have new integrity data %N file name of list of machines that are selected, down, or have new integrity data ML ML x x x %r0 report text of level 0 report R x x x %r1 report text of level 1 report R x x 150 Tripwire Manager User Guide

169 Integrating with Other Applications Param Description Context Use Command Line subject body %r2 report text of level 2 report R x %r3 report text of level 3 report R x %r4 report text of level 4 report R x %R.C name of configuration file R x x x %R.d name of database file R x x x %R.D report creation time R x x x %R.e total errors encountered R x x x %R.h host id R x x x %R.i IP address R x x x %R.l command line used to invoke Tripwire R x x x %R.o number of objects scanned R x x x %R.p policy file name R x x x %R.s system name R x x x %R.u creator R x x x %R.v number of violations R x x x %R.x maximum severity R x x x %S machine name for selected report R x x x %T Manager Report temporary file name G x x x %t0 report level 0 temporary file name R x x x %t1 report level 1 temporary file name R x x x %t2 report level 2 temporary file name R x x x %t3 report level 3 temporary file name R x x x %t4 report level 4 temporary file name R x x x Tripwire Manager User Guide 151

170 Integrating with Other Applications Param Description Context Use Command Line subject body G x x x %U name of user under which Tripwire Manager process is currently running %V.o full path name of the violated object V x x x %V.D details of the violation V x 152 Tripwire Manager User Guide

171 Integrating with Other Applications Launch Command Examples Telnet This example runs the telnet command for each selected command to connect to the selected machine. Command: Arguments: Context: C:\WINDOWS\SYSTEM32\CMD.EXE /c start C:\WINDOWS\SYSTEM32\TELNET.EXE %m*.i Machine List Ping This example pings each selected machine. Since Ping is a command-line application, its output goes to the Tripwire Manager output window. Command: Arguments: Context: C:\WINDOWS\SYSTEM32\PING.EXE %m*.i Machine List View Manager Report in Browser This example opens the Tripwire Manager report using Internet Explorer. Command: C:\Program Files\Internet Explorer\IEXPLORE.EXE Arguments: %T Context: Any Tripwire Manager User Guide 153

172 Integrating with Other Applications Manager Report This example s the Tripwire Manager report to someone. Context: Global To Addresses: From Address: Subject: Current Tripwire Status Body: %M Send about a Specific Report This example sends an to a group of people about a specific report. The subject line contains the number of violations and the name of the system. The body of the contains the level 3 report. Context: Report To Addresses: [email protected] From Address: [email protected] Subject: Who made these %R.v changes to %R.s? Body: %r3 154 Tripwire Manager User Guide

173 Appendix: Tripwire Manager Security Measures Because Tripwire software is used to establish the security of machines throughout the network, it must itself be protected from intruders. The Tripwire Manager system protects internal security using a combination of techniques, including Secured Sockets Layer technology, cryptographic signatures, and authentication.

174 Appendix: Tripwire Manager Security Measures Cryptographic Signatures To prevent tampering, Tripwire files on each Tripwire for Servers machine are stored on disk in a binary-encoded and signed form, using El Gamal asymmetric cryptography with 1024 bit keys. The El Gamal process signs files using a paired set of keys, a public key and a private key, which are generated and stored together in a key file. The private key is protected with a passphrase, and to alter Tripwire files that are signed, you must provide the passphrase for the private key of the key file that is used to sign the files. On each Tripwire for Servers machine, a site key file is used to protect the policy and configuration files, which can be used across an entire site. By default, the same site key file is used to encrypt the Agent configuration file. The local key file is used to protect database and (optionally) report files, which are specific to a particular system. 156 Tripwire Manager User Guide

175 Passphrase Management Appendix: Tripwire Manager Security Measures Tripwire Manager stores the site and local passphrases for each machine registered to that Manager in the file console.dat. The passphrases are stored encrypted using triple DES with 168 bit keys based on a Manager passphrase. When a Tripwire Manager sends a command to a Tripwire for Servers machine that requires a site or local passphrase, the Manager prompts the user for the Manager passphrase. This passphrase is used to de-crypt the passphrases in console.dat, allowing the Manager to access and send the appropriate passphrase for the Tripwire for Servers machine. When you register a Tripwire for Servers machine with the Tripwire Manager, you can also choose not to store the passphrases on the Manager. In this case, every time you perform an operation that requires the site or local passphrase, you must enter these passphrases for each machine involved. Because the Manager passphrase controls access to all the machines on the network, neither the passphrase nor the 168 bit key that it generates is permanently stored on disk. Instead, they are stored for 5 minutes (by default) after the Manager passphrase is entered, and you must periodically re-enter the passphrase. You can adjust the time interval for which the passphrases are stored as on page 99. Warning: Cryptographic techniques do not protect against all attacks, such as the deletion of Tripwire data files. For maximum security, important files should be protected by regularly verifying their hash using the Tripwire for Servers siggen utility, comparing to known reliable backups, or storing on read-only media. Tripwire Manager User Guide 157

176 Appendix: Tripwire Manager Security Measures Authentication Every communication between the Tripwire Manager and Tripwire for Servers machines is authenticated, allowing each party to verify the identity of the other. The Tripwire authentication process uses El Gamal public/private key cryptography with 1024 bit keys, similar to the process used to sign Tripwire for Servers files. Key Exchange The Tripwire Manager and Tripwire for Servers machines register each other by exchanging public authentication keys. These keys are generated and distributed when each Tripwire for Servers machine is added to the Manager, using this process:. 1. When the Tripwire Manager software is installed, it generates a public/private El Gamal key pair, the authentication key file, which is stored in the file console.key. 2. A Tripwire for Servers machine that is installed, but not connected to any Tripwire Manager, is said to be unregistered. An unregistered machine does not accept any request from a Tripwire Manager except a registration request. Warning: A Tripwire for Servers machine in an unregistered state accepts the first registration request it receives, making it vulnerable to attacks from an outside source acting as the Tripwire Manager. For this reason, you should minimize the amount of time between installation of Tripwire for Servers software and registration with a Tripwire Manager. 3. When a Tripwire for Servers machine is registered to a Tripwire Manager, the Manager sends the public key from its authorization key file to the Tripwire for Servers machine. 158 Tripwire Manager User Guide

177 Appendix: Tripwire Manager Security Measures 4. The Tripwire for Servers machine generates its own public/private El Gamal key pair, which is stored with the Manager public key on the Tripwire for Servers machine. 5. The Tripwire for Servers machine sends its public authentication key to the Tripwire Manager, which stores it with the corresponding entry for that machine in the file console.dat. Once the Tripwire Manager and the Tripwire for Servers machine have exchanged keys, every time a connection is made between the two, each side authenticates the other by generating a random data packet and requesting that the other side digitally sign it. The signed packet can be verified using the public key of the signer. Changing Authentication Keys You may want to change your authentication keys periodically to avoid brute force attacks, or if you suspect that some of the keys have been compromised. To generate new authentication keys for Tripwire for Servers machines, you must unregister and re-register each machine with the Tripwire Manager. To generate new Manager keys, you must unregister all Tripwire for Servers machines, and delete the console.key file on the Tripwire Manager machine. Secure Data Communication All communication between the Tripwire Manager and Tripwire for Servers machines is protected using the Secured Sockets Layer (SSL) protocol to prevent eavesdropping. The Tripwire implementation of SSL uses 168 bit Triple DES encryption. Tripwire Manager User Guide 159

178

179 Licensing Agreements Licensing Agreements Tripwire Manager 4.5 includes software redistributed under the following licensing agreements. Sun Microsystems, Inc. License Agreement The Software contains software and copyrighted information of Sun Microsystems, Inc. All title to such software is retained by Sun. This product includes code licensed from RSA Security, Inc. Some portions licensed from IBM are available at ANTLR License Agreement ANTLR is included in this product. Tripwire Manager User Guide 161

180

181 Index A access time resetting 21 Action Window 16 Add Machines command 42, 128 agents grouping 14 Approve All Approve All command 123 using the Report Menu 50 Approve by Severity Approve by Severity command 123 using the Machine Menu 89 using the Report Menu 50, 89 Approve by Template Approve by Template command 123 Matching Modes 91 using a binary report file 90 using the Machine Menu 94 using the Report Menu 93 Archive configuration files 123 integrity systems 124 policy files 124 report files 124 schedule files 124 archiving files 98 attributes defined 71 audit log reporting 29 audit logging 48 authentication overview 158 keys 159 Tripwire Manager User Guide 163

182 Index C problems 108 changes for this version 7 changing passphrases 99 Collapse Machine Group command 43 command execution disabling commands during an integrity check 62 enabling 22 global execution on violation 23 maximum number of processes 23 specifying a user account for 22 specifying an executable to execute on integrity check 23 config rights 20 configuration file checking options 21 distributing 95 editing 44, 95 options 24 file options 19 file permissions logging options 27 other options 32 SNMP options 30 specifying a text editor 32 configuration file editor 18 console passphrase 99, 157 Controlling Manager 6 D database file initializing 45 printing format 33 printing level 34 resolving problems during update 109 specifying path to 19 updating 45, Tripwire Manager User Guide

183 Index database rights 20 DHCP using withtripwire for Servers machines 14 Distribute File command 44 distributing 95 distributing files 44, 64, 83, 95 E edit configuration 124 integrity system 125 policy 125 schedule 125 Edit Configuration File command 44 Edit Policy File command 44 Edit Schedule File command 44 editing configuration file 95 policy file 72 "no violations" report 26 character encoding 25 global 26 localizing 26 mail method 24 mail program 25 report levels 25 sending HTML or XML reports 62 sending integrity check reports 62 setting conditions and parameters 48 SMTP host 24 SMTP port 24 source address 25 errors report files 39 event tracking enabling 22 event data violations 85 Tripwire Manager User Guide 165

184 Index event violations in an integrity check report 68 flags 22 exclusions defined 71 Expand Machine Group command 43 Export Manager Report command 42 Export Selected Machines command 42 exporting Machine Lists 42 exporting Machine report 42 F file backup 13 filtering report files 67 fonts for Tripwire Manager 47 Forget Tripwire Manager Passphrase command 43 full screen mode for Manager windows 46 G global context 138 global variables 35 grouping machines 14 groups changing groups 42 collapsing 43 expanding 43 in the Machine List 12 H hashes ignoring during an integrity check 61 HTML ing HTML reports 62 I icons 166 Tripwire Manager User Guide

185 Index in the Machine List 12 in the Report Viewer 39 Initialize Database command 45 integrity check overview 58 checking specific sections of a policy file 62 disabling command execution 62 reports 62 for specific objects only 61 HTML or XML reports 62 ignoring properties 61, 62 rule blocks, checking by 60 running 44 scheduling 64 selective integrity checks 59 specifying system objects to check 61 using rule blocks 60 Integrity Check command 44, 126 Integrity Check Now command 126 integrity system 48 acquiring 97 distributing 96 opening 44 saving 96 IP addresses for SNMP traps 31 K key files 156 keys authentication private key 156 public key 156 L launch commands contexts 136 examples 153 Tripwire Manager User Guide 167

186 Index global context 138 Launch command 126 machine list context 139 parameters 145 procedures 133 reference 114 report context 141 report list context 140 rule context 142 types 131 update database 143 violation context 144 launch contexts 136 launch in context commands arguments 117 immediate 118 Launch in Context Commands 115 qualifier 121 types 115 user 120 Launch Menu 52 launching external applications 130 local key 156 specifying path to 20 Loose Directory checking 21 M machine groups creating 14 nesting 14 Machine List 11 changing groups 42 creating 13 exporting 42 machine list context 139 Machine menu 44 machines 168 Tripwire Manager User Guide

187 Index adding 42 collapsing groups 43 expanding groups 43 exporting information to a text file 42 grouping 14 regrouping 42 removing 42 report format 33 report level 33 synchronizing 42 violation count 41 mail method 24 Main Window 17 expanding to full screen 46 Manager menu 42 Manager passphrase changing 99 menu options 42 multiple Managers 6 N network interface card (NIC) 31 Network Status Window 16 new features for this version 7 notification by archive report 106 by execute command 105 by sending 104 triggers 102 notifications sending 102 O Open Integrity System command 44 Output Window 17 Tripwire Manager User Guide 169

188 Index P passphrases change machine local passphrase 45 Change Tripwire Manager Passphrase command 42 changing 99 changing machine site passphrases 45 clearing 43 console 157 late prompting 34 verify machine site and local passphrases 45, 101 pattern matching 58, 63 permissions for Tripwire files 20 pie charts 16 policy file defined 71 distributing 83 editing 44, 72 exclude object from policy 51 find rule in policy 51 global variables 35 specifying path to 19 updating 82 policy file editor changing rule block attributes 78 creating rules 79 deleting rule blocks 78 file system information 36 generating rules from a pattern 80 registry 36 user interface 35 policy rights 20 preferences 47 private key 156 properties for rules 79 public key Tripwire Manager User Guide

189 Index Q qualifier commands manager passphrase 121 reason 122 user 122 R read-only media, using for additional security 157 Refresh Status command 45 registering machines problems 107 Regroup Agents command 42 Remove Machines command 42 report context 141 report files errors 39 exporting reports to an HTML file 68 filtering 50, 67 searching 50, 66 sections 39 severity 39 specifying path to 19 types of violations 40 viewing 44, 65 report list context 140 Report Menu 50 report rights 20 Report Viewer errors 39 icons Objects tab 38 panes 38 Reports tab 38 Summary tab 38 Violations tab 38 windows rule blocks Tripwire Manager User Guide 171

190 Index changing attributes 78 defined 71 deleting 78 rule context 142 rule properties 79 rules creating 79 creating rules from a pattern 80 defined 71 properties 79 S schedule file distributing 64 editing 44, 64 time zones 64 scheduling integrity checks 64 searching report files 66 sections in report files 39 security issues changing passphrases 99 crossing mount points 22 maximizing key file security 157 unregistered HQ Connectors 158 Select in Report command 129 selective integrity checks 59 severity color coding 11, 12 in report files 39 viewing in Tripwire Manager 16 siggen command using to verify integrity 157 site key 156 specifying path to 20 site passphrase changing 100 SMTP 172 Tripwire Manager User Guide

191 Index character encoding 25 host 24 port 24 source address 25 SNMP activity on "no violations" 31 community 31 determining IP addresses 31 host 30 port 30 SSL Tripwire implementation 159 support 107 Synchronize Machines command 42 synchronizing Managers 42 syslog audit log 29 executable event reporting 29 facility 29 host 28 localizing messages 29 no violations report 28 priority 29 report level 28 reporting 27 T technical support 107 temporary directory 20 time zones 64 timeout intervals 48 tracking changes to Tripwire for Servers machines 48 traverse mount points 22 Tripwire for Servers defined 3 Tripwire Manager defined 3 changing hierarchy of control 6 Tripwire Manager User Guide 173

192 Index menu options 42 multiple Managers 6 specifying fonts 47 synchronizing Managers 42 windows Tripwire system components 3 troubleshooting 107 database update 109 diagnosing problems 108 U unavailable machines 12 Update Database command 45, 127 update database context 143 update intervals 48 updating database file 85 policy file 82 using Tripwire software flowchart 57 overview 55 V Verify Passphrases command 127 View menu 46 View Report command 44 View Reports command 127 Viewing Manager 6 viewing output from Tripwire for Servers machines 17 viewing report files 65 violation context 144 violation types 40 violations approve all violations 88 approve by template 50 approve none Tripwire Manager User Guide

193 Index W approve patch 50 color coding 12 type of violations 12 types 16 wildcards 58, 63 windows Action Window 16 expanding to full screen 46 Machine List 11 Main Window 17 Network Status Window 16 Output Window 17 windows, viewing 17 X XML ing XML reports 62 Tripwire Manager User Guide 175