COVR Example #1: Monitoring Network Devices Outside a Firewall
In some environments, your Tripwire Enterprise Server may be unable to retrieve configuration information from a monitored network device. For instance, if a firewall separates the TE Server from a switch, the server may be unable to retrieve configuration information from the switch via TFTP. In such cases, a COVR may be used as an alternative to a configuration file rule.
With a COVR, the TE Server establishes a connection with the switch, and retrieves configuration information via the connection.
In the following example, Julie, a system administrator, creates a COVR to monitor configuration information on a Cisco IOS device.
To create and test the new COVR, Julie completes the following steps:
1. First, Julie creates the COVR (seeCreating a Command Output Validation Rule on page 432). In the New Rule Wizard, she enters the following command in the Commands to capture field:
show running-config
In the Element name field, Julie enters the following descriptive name for elements created by the COVR:
Cisco IOS config
2. In the Task Manager, Julie creates a check rule task, and associates the Cisco IOS device and the new COVR with the task (seeCreating a Check Rule Task on page 504).
In the last page of the New Task Wizard, she selects the Initialize baselines now check box. With this setting, Tripwire Enterprise automatically creates a current baseline by applying the new COVR to the Cisco IOS device.
3. In the Node Manager, Julie selects the current baseline to open the element version properties dialog (seeChanging the Properties of an Element Version on page 323). The Content tab should include the configuration information for the Cisco IOS device.
Tripwire Enterprise 8.2 User Guide 99 Chapter 3. Terms, Concepts, and Functions
COVR Example #2: Version Checking Configuration Information
By adding selection criteria to a COVR, you can specify command output to be monitored by a version check of network devices. When a version check is run with a COVR containing selection criteria, Tripwire Enterprise scans all strings matching the selection criteria, and excludes all other output from the check.
In this example, Terry, a system administrator, wants to monitor the version numbers of Cisco IOS routers. To do this, she will create a COVR with selection criteria.
To create the new COVR, Terry completes the steps below:
1. In the New Rule Wizard, Terry entersshow versionin the Commands to run field (see Creating a Command Output Validation Rule on page 432).
2. In the Selection Method page, she selects Include lines containing and enters the following regular expression in the Pattern field:
^IOS
With this setting, version checks (run with the COVR) will only check lines that begin with the letters “IOS.”
Notes For a list of common characters used with regular expressions, seeTable 34 on page 103.
To edit the selection method for an existing COVR, seeChanging the Properties of a Rule on page 423.
3. In the Task Manager, Terry creates a check rule task, and associates the new COVR and a Cisco IOS router with the task (seeCreating a Check Rule Task on page 504).
In the last page of the New Task Wizard, she selects the Initialize baselines now check box. With this setting, Tripwire Enterprise automatically creates a current baseline by applying the new COVR to the Cisco IOS router.
4. In the Node Manager, Terry selects the new baseline to open the element version properties dialog (seeChanging the Properties of an Element Version on page 323). The Content tab should only include lines that begin with the letters “IOS.”
COVR Example #3: Masking Data in Command Output
In some cases, it may be useful to replace dynamic or sensitive command-output data with dummy data. For instance, if you filter dynamic data from command output, you may want to replace the data with a marker indicating that output content has been removed. In this example, Dagny, a system administrator, uses the COVR search-and-replace feature to substitute dummy data for user passwords generated in command output.
Recently, Dagny created a COVR to check the configurations of Cisco IOS routers. To generate configuration output, she enteredshow running-configin the Commands to capture field (see Creating a Command Output Validation Rule on page 432).
To test the new rule, she baselined one of the routers with the COVR (seeInitial Baselining of Monitored Objects on page 376). When Dagny reviewed the resulting baseline, she found the following content (seeChanging the Properties of an Element Version on page 323):
...
aaa processes 6
enable secret 5 $1$xbajx9jRxLXXYx/H/xX8Uwn3jH/
enable password 7 14111E1A0416261A2C
!
username admin privilege 15 password 7 140FA2041A0FF17 username user password 7 060206224241
...
Since the command output included several weakly encrypted passwords, Dagny decides to mask the passwords in future output generated by the COVR.
To edit the COVR, Dagny completes the steps below:
1. Dagny opens the properties dialog for the COVR (seeChanging Filter or Search-and-Replace Criteria for a COVR or COCR on page 428).
2. In the Filter tab, she enters the following regular expression in the Search pattern field:
((password|secret)\s+\d+)(.*)
3. In the Replacement string field, she enters the following regular expression:
$1 XXXXXX
To test the updated rule, Dagny re-baselines the router (seeRe-baselining Monitored Systems on page 377). When she reviews the resulting baseline version, she discovers the following output.
As intended, the COVR now replaces each password entry with the string “XXXXXX.”
...
aaa processes 6
enable secret 5 XXXXXX enable password 7 XXXXXX
!
username admin privilege 15 password 7 XXXXXX username user password 7 XXXXXX
...
Tripwire Enterprise 8.2 User Guide 101 Chapter 3. Terms, Concepts, and Functions