For Internet Facing and Private Data Systems
Audience Prerequisites Course Overview Day 1 Section 1: Functionality and Purpose Day 2 Section 2: Policies and Alerts Section 3: Live Lab 2
Lab Setup Course DVD Exercises & Demos Hands on experience throughout the course VMWare Player Windows 2003 Server Self-contained, server and agent are on the same functional VMWare image Demonstration preceding each exercise Tripwire training books are available for checkout at the library 3
Push agent out to system you re protecting Tripwire Server Agents accept settings from server, perform tasks, and send results to server Or, install agent manually on system you re protecting Private Data System IIS Server Tripwire Clients Functionality and Purpose 5
Functionality and Purpose 6
Minimum hardware requirements Network port and hostname requirements Agent Installation Services Password!! Demo: Installing Tripwire Enterprise Server software on Windows 2003 Server Functionality and Purpose 7
Port Requirements Port Protocol Application Use 443 TCP HTTPS Secure HTTP connection to the Tripwire Enterprise from a web browser 8080 TCP HTTP Alternate HTTP port for application integration and agent updates 9898 TCP Services Communication to/from Agent Service Any and all of these ports are configurable to a different port number Host must have a statically assigned IP address and have a hostname resolvable to this address. Functionality and Purpose 8
Functionality and Purpose 9
Licensing Contact the CU Licensing Office for License Authorization Code (LAC) Pre-generated LACs include 30 file system nodes and 30 network nodes Accessing the Tripwire Enterprise Console Accepting the SSL Certificate Logging In Functionality and Purpose 10
Console Layout Sidebar Tabs Button Bar Interface Toolbar Tree Pane Status Bar Main Pane Policies and Alerts 11
User Accounts, Roles, and Groups Pre-defined Roles Administrator Power User Regular User Monitor User User Administrator User Groups Functionality and Purpose 12
Access Controls An access control is used to limit the permissions of the specific users and user groups to nodes and node groups. Functionality and Purpose 13
User Settings User Preferences User preferences affect only the display for a user Difference (Viewer) Preferences Functionality and Purpose 14
System Settings Global configuration options which apply to all users Policies and Alerts 15
Severity Ranges A numeric value which is used in a rule to indicate changes to monitored objects and the relative importance of these changes. Global Variables Used in place of specific text strings or passwords. Functionality and Purpose 16
Exercise 1: Accessing the Console Exercise 2: Licenses Exercise 3: Getting Help Exercise 4: User Accounts and Roles Exercise 5: User Groups Exercise 6: Permissions Exercise 7: User Preferences Exercise 8: Severity Ranges Exercise 9: Global Variables Policies and Alerts 17
How would one obtain a license to run a Tripwire Enterprise Server? What are the configurable user settings? What is a severity range? What is a global variable? Policies and Alerts 18
Functionality and Purpose 19
Tripwire Enterprise Objects Nodes Rules Actions Tasks Functionality and Purpose 20
Policies and Alerts 21
Tripwire Enterprise Objects Elements Versions Policies and Alerts 22
IIS Server Index.html Search.php Jan 3 Edit July 30 Edit April 7 Edit Policies and Alerts 23
Understanding Groups Node Groups Rule Groups Tasks and Nested Groups Functionality and Purpose 24
Moving, Deleting, Linking, and Unlinking Objects Move Delete Copies of Node Objects Linking Discovered objects Unlinking The Unlinked Folder Importing and exporting objects Demo: Working with Objects Functionality and Purpose 25
Exercise 1 Groups Exercise 2 Moving, Linking, Unlinking, Deleting Objects Policies and Alerts 26
What is the difference between a node, rule, action, and task? How is a version related to an element? Can actions be grouped? Policies and Alerts 27
Functionality and Purpose 28
Place Nodes in Groups The Node Tree Geographical Location Type of Node Other Node Options Security Tab Variables Tab (node specific) Functionality and Purpose 29
Exercise 1 Node Specific Variables Exercise 2 Agent Logs Policies and Alerts 30
Functionality and Purpose 31
Grouping Rules The Rule Tree Integrity Check Links to Rules Library based on time to run Rules Library Type of Node Platform Handout: File System Rule Configuration Reference Handout: Windows Registry Key and Value Attributes Functionality and Purpose 32
Create Criteria Sets Choosing file attributes Static attributes Dynamic attributes Content attribute Permissions attributes Package data attributes Functionality and Purpose 33
Exercise 1 Criteria Sets Exercise 2 File System Rules Exercise 3 Registry Rules Exercise 4 Command Output Capture Rules Policies and Alerts 34
Functionality and Purpose 35
Actions are an event that is executed given the outcome of an element change Predefined Actions for file systems Handout: Actions and Conditional Actions Functionality and Purpose 36
What is the best practice for organizing nodes? Give an example of a rule that you would create. Would you associate that rule with an action? Policies and Alerts 37
Functionality and Purpose 38
Policies and Alerts 39
Creating Baselines 3 steps before running a baseline Check Severity Ranges Check Monitored Objects Schedule Functionality and Purpose 40
Functionality and Purpose 41
Change Notification E-mail Action Summary vs. Contextual Execution Action Finding Changed Objects Functionality and Purpose 42
Using the Difference Viewer Modification Addition Removal Exercise: Examining changes Functionality and Purpose 43
Exercise 1 Tasks and Baselines for File System Objects Policies and Alerts 44
Functionality and Purpose 45
Promoting expected changes Manual Promote by reference Functionality and Purpose 46
Managing unexpected changes Gathering audit information Irrelevant Changes rule tuning Policies and Alerts 47
What is a baseline? What objects are necessary to schedule a baseline? What is an indication of a change in the Tripwire console? What are the different responses to changes? Policies and Alerts 48
Functionality and Purpose 49
Archiving Log Messages Compacting Element Versions Functionality and Purpose 50
What is the purpose of Tripwire? What does Tripwire monitor? What are the objects that make up a task? How does Tripwire detect changes? Policies and Alerts 51
Creating Policies to Manage Change General Principles Step 1: Define a Policy Step 2: Outline the Policy Step 3: Create the Policy Objects Policies and Alerts 53
Policies and Alerts 54
Categorize Objects Remediate Changes Minimize the amount of effort required by IT and management staff Policies and Alerts 55
Policies and Alerts 56
Internet Facing Systems Principles Private Data Systems Principles Live Lab Principles Policies and Alerts 57
Policies and Alerts 58
Change Occurs Scheduled Task Performed Appropriate Administrator Alerted Change Detected Policies and Alerts 59
Change Occurred Tuning Irrelevant Evaluate Change Expected Promote Unexpected Unexpected Change Policies and Alerts 60
Change Detected Unexpected? Authorized Revert? Yes Revert Unauthorized No Run the task or check the rules Declare Security Incident Tuning Promote Policies and Alerts 61
Change Occurred Tuning Irrelevant Evaluate Change Expected Promote Unexpected Unexpected Change Policies and Alerts 62
Change Detected Unexpected Change Fix the rule and task as necessary Run the task or check the rules Promote Eliminate elements no longer checked Policies and Alerts 63
Change Occurred Tuning Irrelevant Evaluate Change Expected Promote Unexpected Unexpected Change Policies and Alerts 64
Change Detected Unexpected Change Tuning Promote changes as necessary Generate Reports Policies and Alerts 65
Policies and Alerts 66
Policies and Alerts 67
Import the rules.xml file We ll follow step by step the reason behind the pre-defined rules that are outlined in the rules.xml file Policies and Alerts 68
69