Post on 17-Jan-2016
Tripwire Enterprise Tripwire Enterprise Server – Basic TasksServer – Basic Tasks
TopicsTopics Server install Q&AServer install Q&A Understanding the UIUnderstanding the UI Settings managerSettings manager Your first node!Your first node!o Importing useful rulesImporting useful ruleso Agent installAgent installo The managers: nodes, rules, The managers: nodes, rules,
actions, tasks, logsactions, tasks, logso Baselining, version Checks, Baselining, version Checks,
promotionpromotion
Server InstallServer Install
Single-server, just run the installerSingle-server, just run the installer Dual-server, you will need to add Dual-server, you will need to add
parameters to the install commandparameters to the install command Windows cannot install over TSWindows cannot install over TS STORE THOSE PASSWORDS!STORE THOSE PASSWORDS! *Note: in 5.5 problems using a *Note: in 5.5 problems using a
Services Password > 8 charsServices Password > 8 chars
Server firewall/NATServer firewall/NAT
Firewall, see Installation Guide, Firewall, see Installation Guide, Chapter 1. Network requirementsChapter 1. Network requirements
NAT, see Reference Guide, NAT, see Reference Guide, Chapter 4. System PropertiesChapter 4. System Properties
Tripwire UITripwire UI
The TE GUI has many elements of The TE GUI has many elements of a familiar desktop, but is not. This a familiar desktop, but is not. This can lead to frustration and broken can lead to frustration and broken mice.mice.
Zones of the consoleZones of the console
TE Console AreasTE Console Areas
TE Console FlubsTE Console Flubs
Server SettingsServer Settings
User preference settingsUser preference settings System preferencesSystem preferences Email serverEmail server
Useful Account SettingUseful Account Setting
System PreferencesSystem Preferences
Shorten ‘session timeout’ to 10 Shorten ‘session timeout’ to 10 minutesminutes
Email ServersEmail Servers
Administration Administration SettingsSettings Configure login methodConfigure login method Creating rolesCreating roles Creating a user groupCreating a user group Creating usersCreating users
Configure Login Configure Login MethodMethod
RolesRoles
Modifying RolesModifying Roles
Creating User GroupsCreating User Groups
Functional groups usually by roleFunctional groups usually by role Obvious groupings: staff/admins, Obvious groupings: staff/admins,
operations, managementoperations, management
Node Setup TasksNode Setup Tasks
Import TFS and/or UCD-basic rulesetsImport TFS and/or UCD-basic rulesets Install agent on a nodeInstall agent on a node Create an actionCreate an action Use tasks to associate rule, node, Use tasks to associate rule, node,
action, and schedule a time to run.action, and schedule a time to run. Create a baseline for the nodeCreate a baseline for the node Wait.Wait. Example for a rule with 7,000 Example for a rule with 7,000
elements stored, took ~600 seconds.elements stored, took ~600 seconds.
Import Useful RulesImport Useful Rules
TFS rules very generic, usually result TFS rules very generic, usually result in many elements stored.in many elements stored.
UCD rules leaner, meaner.UCD rules leaner, meaner. Rule names need to be unique or Rule names need to be unique or
collision will occur.collision will occur.
Install the Agent Install the Agent SoftwareSoftware Install as AdministratorInstall as Administrator Enter port + services passwordEnter port + services password Punch holes in firewall!Punch holes in firewall! There is a silent install option, see There is a silent install option, see
Users Guide, Ch. 2, Installation Users Guide, Ch. 2, Installation Procedures for TE AgentProcedures for TE Agent
Agent InstallAgent Install
Agent InstallAgent Install
Firewall on ClientFirewall on Client
Create Email ActionCreate Email Action
Create Email ActionCreate Email Action
Move Discovered NodeMove Discovered Node
Move Discovered NodeMove Discovered Node
Move Discovered NodeMove Discovered Node
Create First TaskCreate First Task
We just want a Check Rule Task for our example
Create First TaskCreate First Task
Create First TaskCreate First Task
Create First Task Create First Task
Test That It WorksTest That It Works
Modify a “watched” elementModify a “watched” element Run the task, or do a ‘node check’Run the task, or do a ‘node check’ Note the change or check your Note the change or check your
emailemail Take action on the intrusion! Or, Take action on the intrusion! Or,
just promote the changes.just promote the changes.
Node ManagerNode Manager
Adding a node groupAdding a node group Linking a nodeLinking a node Elements for file system nodesElements for file system nodes Element versionsElement versions Node viewing filter Node viewing filter
Adding a Node GroupAdding a Node Group
Linking a NodeLinking a Node
Link SymbolLink Symbol
TE Symbols ExposedTE Symbols Exposed
Node ElementsNode Elements
Element VersionsElement Versions
Node Viewing FilterNode Viewing Filter
Without filtering, TMIWithout filtering, TMI
Now we can see the Now we can see the treestrees
Viewing RulesViewing Rules
Rule SpecifiersRule Specifiers
Action ManagerAction Manager
Viewing ActionsViewing Actions Creating an email actionCreating an email action Creating an SNMP actionCreating an SNMP action Creating an execution action Creating an execution action
(locally or on TE server)(locally or on TE server)
An Execution ActionAn Execution Action
An Execution Action An Execution Action echoing the file name of echoing the file name of a changed element to a a changed element to a filefile
Task ManagerTask Manager
Viewing tasksViewing tasks Creating and deleting tasksCreating and deleting tasks
Task ManagerTask Manager
Log ManagerLog Manager
Viewing logsViewing logs Sorting and filtering LogsSorting and filtering Logs
Log ManagerLog Manager
Log Manager - SearchLog Manager - Search
The Baseline- What is The Baseline- What is Happening?Happening?
Baselining I/O intensive on DB Baselining I/O intensive on DB disksdisks
Recommend baselining only a Recommend baselining only a small number of systems at once.small number of systems at once.
Snapshot definedSnapshot defined
Temporary record of the Temporary record of the monitored object’s current monitored object’s current attributes. In a baseline attributes. In a baseline execution, this would become the execution, this would become the baseline version. In a version baseline version. In a version check this is the “now” state we check this is the “now” state we compare the baseline against.compare the baseline against.
VersioVersion n CheckCheck
Viewing ChangesViewing Changes
Difference ViewerDifference Viewer
PromotionPromotion
Promote selected versionsPromote selected versions Promote by matchPromote by match Promote by referencePromote by reference Promote by packagePromote by package
Promote Selected Promote Selected VersionsVersions
Promote current snapshot(s) to Promote current snapshot(s) to baseline. Select using the GUI.baseline. Select using the GUI.
Homework for July 26Homework for July 26
Install an agent and associate it Install an agent and associate it with a basic rule or rule set and a with a basic rule or rule set and a task or actiontask or action
Practice the proceduresPractice the procedures Deployment optionsDeployment options
Training ScheduleTraining Schedule
July 12: adding and configuring a July 12: adding and configuring a node using the basic rule setnode using the basic rule set
July 26: creating and modifying July 26: creating and modifying rulesrules
Aug 1 or 8?: reports, dashboard, Aug 1 or 8?: reports, dashboard, deployment stepsdeployment steps
ResourcesResources
http://security.ucdavis.edu/tripwire.cfm - Rulesets and presentations - Rulesets and presentations
ucdtripwire@ucdavis.edu - mailing list - mailing list Vincent Fox - Vincent Fox - vbfox@ucdavis.edu Doreen Meyer - Doreen Meyer - dimeyer@ucdavis.edu Bob Ono - Bob Ono - raono@ucdavis.edu Software - software@ucdavis.eduSoftware - software@ucdavis.edu