Tripwire Enterprise Server
Rule Sets
Vincent Fox, Doreen Meyer, and
Paul Singh
UC Davis, Information and Educational
Technology
July 25, 2006
Working with Rule Sets







Questions
Rule types and rule groups
How does a rule work?
The parts of a file system rule
File system attributes
Criteria sets
Rule buttons
Tripwire Enterprise
Console
File System Rule Types



UNIX file system rules (files and
directories)
Windows or unix file system rules (files
and directories)
Windows registry rules (keys and key
values)
Rules and Rule Groups
Rule Search
Default Rule Groups


Root rule group
Unlinked rule group
Default Rule Groups
How Does a File System
Rule Work?



Run version check (baseline, promotion,
task)
Rule identifies files and directories (objects)
that are to be checked, and what attributes
to check. The local agent determines if
monitored objects have changed.
If changes are detected, local agent creates
new element versions and sends the new
versions to the Enterprise Server.
The Components of a File
System Rule





Start points
Criteria sets
Exclusions
Stop points
Actions
File System Rule
Components – Start Point
File System Rule
Components – Criteria Set
File System Rule
Components – Stop Point
If a stop point is added, the file system rule will
not check the specified file or directory for
changes.
File System Rule
Components – Exclusions
File System Components Actions
Adjusting Rules Feature




Add a start point
Edit an existing start point
Add a stop point
Delete a single stop point
Adjusting a Rule in Node
View
Adjusting a Rule
Severity Levels and
Severity Ranges



A severity level is a numeric value that
indicates the importance of a change.
Severity levels are assigned to every
rule.
For file system rules, you assign a
severity level to each start point in the
rule.
Default Severity Ranges
Range
Indicator Color
Value
High
Red
67-10000
Medium
Yellow
34-66
Low
Blue
1-33
Global Severity Settings
Attributes and Criteria
Sets




File system attributes
Creating and modifying criteria sets
Keeps encrypted database of File/Registry
Attributes (including 4 hashing algorithms –
HAVAL, MD5, SHA and CRC-32)
Tripwire detects changes to 29 object
properties (file/directory) and 21 Registry
keys/values on Windows.
Rules: Windows Directory
Attributes
Rules: Windows
File Attributes
Attributes –
File/Directories















Archive flag
Read-only flag
Hidden flag
Offline flag
Temporary flag
System flag
Directory flag
Last access time
Last write time
Create time
File size
Turns on event tracking for that
object
MS-DOS 8.3 name
NTFS Compressed flag
NTFS Owner SID














NTFS Group SID
NTFS DACL
NTFS SACL
Security descriptor control
Size of security descriptor
CRC-32
MD5
SHA
HAVAL
Number of NTFS streams
CRC-32 hash of all alternative data
streams
MD5 hash of all alternative data
streams
SHA hash of all alternative data
streams
HAVAL hash of all alternative data
streams
Rules: Registry
Attributes
Windows Registry:
Attributes

Registry Key Objects
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Last write time
Owner SID
Group SID
DACL
SACL
Security descriptor control
Size of security descriptor for the key
Name of class
Number of subkeys
Maximum length of subkey name
Maximum length of classname
Number of values
Maximum length for value name
Maximum length of data for any value in
the key
– Turns on event tracking for that object

Registry Value Objects
–
–
–
–
–
–
Type of value data
Length of value data
CRC-32 hash of value data
MD5 hash of value data
SHA hash of value data
HAVAL hash of value data
Windows Registry

User Settings:
– HKEY_USERS
– HKEY_CURRENT_USER

System Settings:
– HKEY_LOCAL_MACHINE
– HKEY_CLASSES_ROOT
– HKEY_CURRENT_CONFIG
Developing the UCD
Windows Rule Set

Critical OS system files and directories.

Determine critical registry keys.
– Keep it general initially.
– Tailor to more specifics per system
and business requirements.
Rules: UNIX File and
Directory Attributes
File System Attributes for
UNIX
Attribute
Applies to…
Description
ACL
Files and
directories
Access control
list
Access
Files and
directories
Last date and
time accessed
Change
Files and
directories
Last date and
time modified
or created
File System Attributes for
UNIX
Attribute
Applies to
Description
Group
Files and
directories
Growing
Files only
Group owning
a file or
directory
Size/SHA-1
hash. Size
must be larger
than baseline
and/or hash
change
File System Attributes for
UNIX
Attribute
Applies to
Description
MD5
Files only
MD5 hash
Modify
Files and
directories
Last date and
time content
changed
Criteria Sets for UNIX
UNIX Criteria Set –
Content Only
UNIX Criteria Set –
Permissions Only
Rule Buttons






New Group
New Rule
Import, Export
Move
Link, Unlink
Delete
New Rule Group
New Rule
New Rule
New Rule
New Rule
New Rule
Rule Import and Export


Import and export rules to preserve
rule sets
“version control”
Rule Buttons




Move
Link
Unlink
Delete
Assignment for August 8



Create a file system rule
Create a windows registry rule
Deployment options
July-August Training
Schedule



July 12: adding and configuring a
node using the basic rule set
July 25: creating and modifying rules
August 8: reports, dashboard,
deployment
Contacts






ucdtripwire@ucdavis.edu - class
mailing list
Vincent Fox - vbfox@ucdavis.edu
Doreen Meyer - dimeyer@ucdavis.edu
Bob Ono - raono@ucdavis.edu
Paul Singh - pasingh@ucdavis.edu
Software - software@ucdavis.edu