Tripwire Enterprise Server Rule Sets Vincent Fox, Doreen Meyer, and Paul Singh UC Davis, Information and Educational Technology July 25, 2006 Working with Rule Sets Questions Rule types and rule groups How does a rule work? The parts of a file system rule File system attributes Criteria sets Rule buttons Tripwire Enterprise Console File System Rule Types UNIX file system rules (files and directories) Windows or unix file system rules (files and directories) Windows registry rules (keys and key values) Rules and Rule Groups Rule Search Default Rule Groups Root rule group Unlinked rule group Default Rule Groups How Does a File System Rule Work? Run version check (baseline, promotion, task) Rule identifies files and directories (objects) that are to be checked, and what attributes to check. The local agent determines if monitored objects have changed. If changes are detected, local agent creates new element versions and sends the new versions to the Enterprise Server. The Components of a File System Rule Start points Criteria sets Exclusions Stop points Actions File System Rule Components – Start Point File System Rule Components – Criteria Set File System Rule Components – Stop Point If a stop point is added, the file system rule will not check the specified file or directory for changes. File System Rule Components – Exclusions File System Components Actions Adjusting Rules Feature Add a start point Edit an existing start point Add a stop point Delete a single stop point Adjusting a Rule in Node View Adjusting a Rule Severity Levels and Severity Ranges A severity level is a numeric value that indicates the importance of a change. Severity levels are assigned to every rule. For file system rules, you assign a severity level to each start point in the rule. Default Severity Ranges Range Indicator Color Value High Red 67-10000 Medium Yellow 34-66 Low Blue 1-33 Global Severity Settings Attributes and Criteria Sets File system attributes Creating and modifying criteria sets Keeps encrypted database of File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32) Tripwire detects changes to 29 object properties (file/directory) and 21 Registry keys/values on Windows. Rules: Windows Directory Attributes Rules: Windows File Attributes Attributes – File/Directories Archive flag Read-only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size Turns on event tracking for that object MS-DOS 8.3 name NTFS Compressed flag NTFS Owner SID NTFS Group SID NTFS DACL NTFS SACL Security descriptor control Size of security descriptor CRC-32 MD5 SHA HAVAL Number of NTFS streams CRC-32 hash of all alternative data streams MD5 hash of all alternative data streams SHA hash of all alternative data streams HAVAL hash of all alternative data streams Rules: Registry Attributes Windows Registry: Attributes Registry Key Objects – – – – – – – – – – – – – – Last write time Owner SID Group SID DACL SACL Security descriptor control Size of security descriptor for the key Name of class Number of subkeys Maximum length of subkey name Maximum length of classname Number of values Maximum length for value name Maximum length of data for any value in the key – Turns on event tracking for that object Registry Value Objects – – – – – – Type of value data Length of value data CRC-32 hash of value data MD5 hash of value data SHA hash of value data HAVAL hash of value data Windows Registry User Settings: – HKEY_USERS – HKEY_CURRENT_USER System Settings: – HKEY_LOCAL_MACHINE – HKEY_CLASSES_ROOT – HKEY_CURRENT_CONFIG Developing the UCD Windows Rule Set Critical OS system files and directories. Determine critical registry keys. – Keep it general initially. – Tailor to more specifics per system and business requirements. Rules: UNIX File and Directory Attributes File System Attributes for UNIX Attribute Applies to… Description ACL Files and directories Access control list Access Files and directories Last date and time accessed Change Files and directories Last date and time modified or created File System Attributes for UNIX Attribute Applies to Description Group Files and directories Growing Files only Group owning a file or directory Size/SHA-1 hash. Size must be larger than baseline and/or hash change File System Attributes for UNIX Attribute Applies to Description MD5 Files only MD5 hash Modify Files and directories Last date and time content changed Criteria Sets for UNIX UNIX Criteria Set – Content Only UNIX Criteria Set – Permissions Only Rule Buttons New Group New Rule Import, Export Move Link, Unlink Delete New Rule Group New Rule New Rule New Rule New Rule New Rule Rule Import and Export Import and export rules to preserve rule sets “version control” Rule Buttons Move Link Unlink Delete Assignment for August 8 Create a file system rule Create a windows registry rule Deployment options July-August Training Schedule July 12: adding and configuring a node using the basic rule set July 25: creating and modifying rules August 8: reports, dashboard, deployment Contacts ucdtripwire@ucdavis.edu - class mailing list Vincent Fox - vbfox@ucdavis.edu Doreen Meyer - dimeyer@ucdavis.edu Bob Ono - raono@ucdavis.edu Paul Singh - pasingh@ucdavis.edu Software - software@ucdavis.edu