Tripwire Enterprise Tripwire Enterprise Server Server

Rule SetsRule Sets

Vincent Fox, Doreen Meyer, and Vincent Fox, Doreen Meyer, and Paul SinghPaul Singh

UC Davis, Information and UC Davis, Information and Educational TechnologyEducational Technology

July 25, 2006July 25, 2006

Working with Rule Working with Rule SetsSets Questions Questions Rule types and rule groupsRule types and rule groups How does a rule work?How does a rule work? The parts of a file system ruleThe parts of a file system rule File system attributesFile system attributes Criteria setsCriteria sets Rule buttonsRule buttons

Tripwire Enterprise Tripwire Enterprise ConsoleConsole

File System Rule TypesFile System Rule Types

UNIX file system rules (files and UNIX file system rules (files and directories)directories)

Windows or unix file system rules Windows or unix file system rules (files and directories)(files and directories)

Windows registry rules (keys and Windows registry rules (keys and key values)key values)

Rules and Rule GroupsRules and Rule Groups

Rule SearchRule Search

Default Rule GroupsDefault Rule Groups

Root rule groupRoot rule group Unlinked rule groupUnlinked rule group

Default Rule GroupsDefault Rule Groups

How Does a File How Does a File System Rule Work?System Rule Work? Run version check (baseline, promotion, Run version check (baseline, promotion,

task)task) Rule identifies files and directories Rule identifies files and directories

(objects) that are to be checked, and what (objects) that are to be checked, and what attributes to check. The local agent attributes to check. The local agent determines if monitored objects have determines if monitored objects have changed.changed.

If changes are detected, local agent If changes are detected, local agent creates new element versions and sends creates new element versions and sends the new versions to the Enterprise Server.the new versions to the Enterprise Server.

The Components of a The Components of a File System RuleFile System Rule Start pointsStart points Criteria setsCriteria sets ExclusionsExclusions Stop pointsStop points ActionsActions

File System Rule File System Rule Components – Start Components – Start PointPoint

File System Rule File System Rule Components – Criteria Components – Criteria SetSet

File System Rule File System Rule Components – Stop Components – Stop PointPoint

If a stop point is added, the file system rule will not check the specified file or directory for changes.

File System Rule File System Rule Components – Components – ExclusionsExclusions

File System File System Components - ActionsComponents - Actions

Adjusting Rules Adjusting Rules FeatureFeature Add a start pointAdd a start point Edit an existing start pointEdit an existing start point Add a stop pointAdd a stop point Delete a single stop pointDelete a single stop point

Adjusting a Rule in Adjusting a Rule in Node ViewNode View

Adjusting a RuleAdjusting a Rule

Severity Levels and Severity Levels and Severity RangesSeverity Ranges A severity level is a numeric value A severity level is a numeric value

that indicates the importance of a that indicates the importance of a change.change.

Severity levels are assigned to Severity levels are assigned to every rule.every rule.

For file system rules, you assign a For file system rules, you assign a severity level to each start point severity level to each start point in the rule.in the rule.

Default Severity Default Severity RangesRanges

RangeRange Indicator Indicator ColorColor

ValueValue

HighHigh RedRed 67-1000067-10000

MediumMedium YellowYellow 34-6634-66

LowLow BlueBlue 1-331-33

Global Severity Global Severity SettingsSettings

Attributes and Criteria Attributes and Criteria SetsSets File system attributesFile system attributes Creating and modifying criteria setsCreating and modifying criteria sets Keeps encrypted database of

File/Registry Attributes (including 4 hashing algorithms – HAVAL, MD5, SHA and CRC-32)

Tripwire detects changes to 29 object properties (file/directory) and 21 Registry keys/values on Windows.

Rules: Windows Rules: Windows Directory AttributesDirectory Attributes

Rules: Windows Rules: Windows File AttributesFile Attributes

Attributes –Attributes –File/DirectoriesFile/Directories

Archive flagArchive flag Read-only flagRead-only flag Hidden flagHidden flag Offline flagOffline flag Temporary flagTemporary flag System flagSystem flag Directory flagDirectory flag Last access timeLast access time Last write timeLast write time Create timeCreate time File sizeFile size Turns on event tracking for Turns on event tracking for

that objectthat object MS-DOS 8.3 nameMS-DOS 8.3 name NTFS Compressed flagNTFS Compressed flag NTFS Owner SIDNTFS Owner SID

NTFS Group SIDNTFS Group SID NTFS DACLNTFS DACL NTFS SACLNTFS SACL Security descriptor controlSecurity descriptor control Size of security descriptorSize of security descriptor CRC-32CRC-32 MD5MD5 SHASHA HAVALHAVAL Number of NTFS streamsNumber of NTFS streams CRC-32 hash of all alternative CRC-32 hash of all alternative

data streamsdata streams MD5 hash of all alternative MD5 hash of all alternative

data streamsdata streams SHA hash of all alternative SHA hash of all alternative

data streamsdata streams HAVAL hash of all alternative HAVAL hash of all alternative

data streamsdata streams

Rules: Registry Rules: Registry AttributesAttributes

Windows Registry: Windows Registry: AttributesAttributes

Registry Key ObjectsRegistry Key Objects– Last write timeLast write time– Owner SIDOwner SID– Group SIDGroup SID– DACLDACL– SACLSACL– Security descriptor controlSecurity descriptor control– Size of security descriptor for the keySize of security descriptor for the key– Name of className of class– Number of subkeysNumber of subkeys– Maximum length of subkey nameMaximum length of subkey name– Maximum length of classnameMaximum length of classname– Number of valuesNumber of values– Maximum length for value nameMaximum length for value name– Maximum length of data for any Maximum length of data for any

value in the keyvalue in the key– Turns on event tracking for that Turns on event tracking for that

objectobject

Registry Value ObjectsRegistry Value Objects– Type of value dataType of value data– Length of value dataLength of value data– CRC-32 hash of value CRC-32 hash of value

datadata– MD5 hash of value dataMD5 hash of value data– SHA hash of value dataSHA hash of value data– HAVAL hash of value dataHAVAL hash of value data

Windows RegistryWindows Registry

User Settings: User Settings: – HKEY_USERSHKEY_USERS– HKEY_CURRENT_USERHKEY_CURRENT_USER

System Settings: System Settings: – HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE– HKEY_CLASSES_ROOTHKEY_CLASSES_ROOT– HKEY_CURRENT_CONFIGHKEY_CURRENT_CONFIG

Developing the UCD Developing the UCD Windows Rule SetWindows Rule Set Critical OS system files and Critical OS system files and

directories.directories.

Determine critical registry keys.Determine critical registry keys.– Keep it general initially.Keep it general initially.– Tailor to more specifics per system Tailor to more specifics per system

and business requirements.and business requirements.

Rules: UNIX File and Rules: UNIX File and Directory AttributesDirectory Attributes

File System Attributes File System Attributes for UNIXfor UNIX

AttributeAttribute Applies to…Applies to… DescriptionDescription

ACLACL Files and Files and directoriesdirectories

Access Access control listcontrol list

AccessAccess Files and Files and directoriesdirectories

Last date Last date and time and time accessedaccessed

ChangeChange Files and Files and directoriesdirectories

Last date Last date and time and time modified or modified or createdcreated

File System Attributes File System Attributes for UNIXfor UNIX

AttributeAttribute Applies toApplies to DescriptionDescription

GroupGroup Files and Files and directoriesdirectories

Group Group owning a file owning a file or directoryor directory

GrowingGrowing Files onlyFiles only Size/SHA-1 Size/SHA-1 hash. Size hash. Size must be must be larger than larger than baseline baseline and/or hash and/or hash changechange

File System Attributes File System Attributes for UNIXfor UNIX

AttributeAttribute Applies toApplies to DescriptionDescription

MD5MD5 Files onlyFiles only MD5 hashMD5 hash

ModifyModify Files and Files and directoriesdirectories

Last date Last date and time and time content content changedchanged

Criteria Sets for UNIXCriteria Sets for UNIX

UNIX Criteria Set – UNIX Criteria Set – Content OnlyContent Only

UNIX Criteria Set – UNIX Criteria Set – Permissions OnlyPermissions Only

Rule ButtonsRule Buttons

New GroupNew Group New RuleNew Rule Import, ExportImport, Export MoveMove Link, UnlinkLink, Unlink DeleteDelete

New Rule GroupNew Rule Group

New RuleNew Rule

New RuleNew Rule

New RuleNew Rule

New RuleNew Rule

New RuleNew Rule

Rule Import and ExportRule Import and Export

Import and export rules to Import and export rules to preserve rule setspreserve rule sets

““version control”version control”

Rule ButtonsRule Buttons

MoveMove LinkLink UnlinkUnlink DeleteDelete

Assignment for August Assignment for August 88 Create a file system ruleCreate a file system rule Create a windows registry ruleCreate a windows registry rule Deployment optionsDeployment options

July-August Training July-August Training ScheduleSchedule July 12: adding and configuring a July 12: adding and configuring a

node using the basic rule setnode using the basic rule set July 25: creating and modifying July 25: creating and modifying

rulesrules August 8: reports, dashboard, August 8: reports, dashboard,

deploymentdeployment

ContactsContacts

ucdtripwire@ucdavis.eduucdtripwire@ucdavis.edu - class - class mailing listmailing list

Vincent Fox - Vincent Fox - vbfox@ucdavis.eduvbfox@ucdavis.edu Doreen Meyer - Doreen Meyer -

dimeyer@ucdavis.edudimeyer@ucdavis.edu Bob Ono - Bob Ono - raono@ucdavis.eduraono@ucdavis.edu Paul Singh - pasingh@ucdavis.eduPaul Singh - pasingh@ucdavis.edu Software - software@ucdavis.eduSoftware - software@ucdavis.edu