Tripwire Enterprise Server
– Basic Tasks
Doreen Meyer and Vincent Fox
UC Davis, Information and
Education Technology
July 12, 2006
Topics




o
o
o
o
Server install Q&A
Understanding the UI
Settings manager
Your first node!
Importing useful rules
Agent install
The managers: nodes, rules, actions,
tasks, logs
Baselining, version Checks, promotion
Server Install





Single-server, just run the installer
Dual-server, you will need to add
parameters to the install command
Windows cannot install over TS
STORE THOSE PASSWORDS!
*Note: in 5.5 problems using a
Services Password > 8 chars
Server firewall/NAT


Firewall, see Installation Guide,
Chapter 1. Network requirements
NAT, see Reference Guide, Chapter 4.
System Properties
Tripwire UI


The TE GUI has many elements of a
familiar desktop, but is not. This can
lead to frustration and broken mice.
Zones of the console
TE Console Areas
TE Console Flubs
Server Settings



User preference settings
System preferences
Email server
Useful Account Setting
System Preferences

Shorten ‘session timeout’ to 10
minutes
Email Servers
Administration Settings




Configure login method
Creating roles
Creating a user group
Creating users
Configure Login Method
Roles
Modifying Roles
Creating User Groups


Functional groups usually by role
Obvious groupings: staff/admins,
operations, management
Node Setup Tasks






Import TFS and/or UCD-basic rulesets
Install agent on a node
Create an action
Use tasks to associate rule, node,
action, and schedule a time to run.
Create a baseline for the node
Wait. Example for a rule with 7,000
elements stored, took ~600 seconds.
Import Useful Rules



TFS rules very generic, usually result in
many elements stored.
UCD rules leaner, meaner.
Rule names need to be unique or collision
will occur.
Install the Agent
Software




Install as Administrator
Enter port + services password
Punch holes in firewall!
There is a silent install option, see
Users Guide, Ch. 2, Installation
Procedures for TE Agent
Agent Install
Agent Install
Firewall on Client
Create Email Action
Create Email Action
Move Discovered Node
Move Discovered Node
Move Discovered Node
Create First Task
We just want a Check Rule Task for our example
Create First Task
Create First Task
Create First Task
Test That It Works




Modify a “watched” element
Run the task, or do a ‘node check’
Note the change or check your email
Take action on the intrusion! Or, just
promote the changes.
Node Manager





Adding a node group
Linking a node
Elements for file system nodes
Element versions
Node viewing filter
Adding a Node Group
Linking a Node
Link Symbol
TE Symbols Exposed
Node Elements
Element Versions
Node Viewing Filter
Without filtering, TMI
Now we can see the trees
Viewing Rules
Rule Specifiers
Action Manager




Viewing Actions
Creating an email action
Creating an SNMP action
Creating an execution action (locally or
on TE server)
An Execution Action
An Execution Action echoing
the file name of a changed
element to a file
Task Manager


Viewing tasks
Creating and deleting tasks
Task Manager
Log Manager


Viewing logs
Sorting and filtering Logs
Log Manager
Log Manager - Search
The Baseline- What is
Happening?


Baselining I/O intensive on DB disks
Recommend baselining only a small
number of systems at once.
Snapshot defined

Temporary record of the monitored
object’s current attributes. In a
baseline execution, this would become
the baseline version. In a version
check this is the “now” state we
compare the baseline against.
Version
Check
Viewing Changes

Difference Viewer
Promotion




Promote
Promote
Promote
Promote
selected versions
by match
by reference
by package
Promote Selected Versions

Promote current snapshot(s) to
baseline. Select using the GUI.
Homework for July 26



Install an agent and associate it with a
basic rule or rule set and a task or
action
Practice the procedures
Deployment options
Training Schedule



July 12: adding and configuring a
node using the basic rule set
July 26: creating and modifying rules
Aug 1 or 8?: reports, dashboard,
deployment steps
Resources






http://security.ucdavis.edu/tripwire.cfm
- Rulesets and presentations
ucdtripwire@ucdavis.edu - mailing list
Vincent Fox - vbfox@ucdavis.edu
Doreen Meyer - dimeyer@ucdavis.edu
Bob Ono - raono@ucdavis.edu
Software - software@ucdavis.edu