Slide 1

Download Report

Transcript Slide 1

Tripwire Enterprise Server – Basic Tasks

Doreen Meyer and Vincent Fox UC Davis, Information and Education Technology July 12, 2006

Topics

o o o o     Server install Q&A Understanding the UI Settings manager Your first node!

Importing useful rules Agent install The managers: nodes, rules, actions, tasks, logs Baselining, version Checks, promotion

Server Install

     Single-server, just run the installer Dual-server, you will need to add parameters to the install command Windows cannot install over TS STORE THOSE PASSWORDS!

*Note: in 5.5 problems using a Services Password > 8 chars

Server firewall/NAT

  Firewall, see Installation Guide, Chapter 1. Network requirements NAT, see Reference Guide, Chapter 4. System Properties

Tripwire UI

 The TE GUI has many elements of a familiar desktop, but is not. This can lead to frustration and broken mice.

 Zones of the console

TE Console Areas

TE Console Flubs

Server Settings

   User preference settings System preferences Email server

Useful Account Setting

System Preferences

 Shorten ‘session timeout’ to 10 minutes

Email Servers

Administration Settings

    Configure login method Creating roles Creating a user group Creating users

Configure Login Method

Roles

Modifying Roles

Creating User Groups

  Functional groups usually by role Obvious groupings: staff/admins, operations, management

Node Setup Tasks

      Import TFS and/or UCD-basic rulesets Install agent on a node Create an action Use tasks to associate rule, node, action, and schedule a time to run.

Create a baseline for the node Wait. Example for a rule with 7,000 elements stored, took ~600 seconds.

Import Useful Rules

   TFS rules very generic, usually result in many elements stored.

UCD rules leaner, meaner.

Rule names need to be unique or collision will occur.

Install the Agent Software

    Install as Administrator Enter port + services password Punch holes in firewall!

There is a silent install option, see Users Guide, Ch. 2, Installation Procedures for TE Agent

Agent Install

Agent Install

Firewall on Client

Create Email Action

Create Email Action

Move Discovered Node

Move Discovered Node

Move Discovered Node

Create First Task

We just want a Check Rule Task for our example

Create First Task

Create First Task

Create First Task

Test That It Works

    Modify a “watched” element Run the task, or do a ‘node check’ Note the change or check your email Take action on the intrusion! Or, just promote the changes.

Node Manager

     Adding a node group Linking a node Elements for file system nodes Element versions Node viewing filter

Adding a Node Group

Linking a Node

Link Symbol

TE Symbols Exposed

Node Elements

Element Versions

Node Viewing Filter

Without filtering, TMI

Now we can see the trees

Viewing Rules

Rule Specifiers

Action Manager

    Viewing Actions Creating an email action Creating an SNMP action Creating an execution action (locally or on TE server)

An Execution Action

An Execution Action echoing the file name of a changed element to a file

Task Manager

  Viewing tasks Creating and deleting tasks

Task Manager

Log Manager

  Viewing logs Sorting and filtering Logs

Log Manager

Log Manager - Search

The Baseline- What is Happening?

  Baselining I/O intensive on DB disks Recommend baselining only a small number of systems at once.

Snapshot defined

 Temporary record of the monitored object’s current attributes. In a baseline execution, this would become the baseline version. In a version check this is the “now” state we compare the baseline against.

Version Check

Viewing Changes

 Difference Viewer

Promotion

    Promote selected versions Promote by match Promote by reference Promote by package

Promote Selected Versions

 Promote current snapshot(s) to baseline. Select using the GUI.

Homework for July 26

   Install an agent and associate it with a basic rule or rule set and a task or action Practice the procedures Deployment options

Training Schedule

   July 12: adding and configuring a node using the basic rule set July 26: creating and modifying rules Aug 1 or 8?: reports, dashboard, deployment steps

Resources

      http://security.ucdavis.edu/tripwire.cfm

- Rulesets and presentations [email protected]

- mailing list Vincent Fox [email protected]

Doreen Meyer [email protected]

Bob Ono [email protected]

Software - [email protected]