Tripwire Manager. User Guide 4.5

(1)

Tripwire

Manager

User Guide

(2)

(3)

All other brand or product names may be trademarks or registered trademarks of their respective companies or organizations.

Tripwire, Inc.

326 SW Broadway, 3rd Floor Portland, OR 97205

(4)

(5)

(6)

Document List

The Tripwire License Authorization Card (LAC) provides the access code used to obtain your Tripwire software license from the Tripwire Licensing website.

The Tripwire for Servers Installation Guide describes installation procedures for Tripwire for Servers software.

The Tripwire for Servers User Guide describes configuration and operation of Tripwire for Servers software.

The Tripwire Manager Quick Start helps you to quickly install and configure Tripwire Manager software.

The Tripwire Manager User Guide describes configuration and operation of Tripwire Manager software.

The Tripwire Reference Guide contains detailed reference information about Tripwire for Servers.

You can access PDF versions of the documents from the docs directory on the Tripwire Managerand Tripwire for Servers CDs.

(7)

Document Conventions

This Guide uses the following typographic conventions.

Bold in regular text indicates FTP and HTTP URLs, and emphasizes important issues.

Italic indicates file and directory names.

Constant in regular text shows commands and command-line

options, and policy file rule attributes, directives, and variables.

Sans Serif in examples shows actual user input on the command line.

Sans Serif Italic in examples shows variables which should be replaced

with context-specific values.

denotes sections of the text that apply only to Windows installations of Tripwire software. Unless otherwise specified, all references to Windows refer to Windows NT, Windows 2000, and Windows XP Professional. denotes sections of the text that apply only to UNIX or Linux installations of Tripwire software. Unless

otherwise specified, all references to UNIX also refer to Linux.

[options] the command reference section shows optional command-line arguments in brackets.

{ 1 | 2 | 3 } the command reference section shows sets of possible options in braces, separated by the | character. Choose only one of the options.

W

(8)

Support Contact Information

For the latest information and support for Tripwire products, visit the Tripwire website or contact Tripwire Technical Support.

Tripwire Support Website:

http://www.tripwire.com/services_and_support

Tripwire Technical Support:

e-mail: [email protected]

toll-free: 1.866.TWSUPPORT (6am-6pm Pacific) phone: 503.276.7663

General information:

e-mail: [email protected] international: +1.503.223.0280

Tripwire Professional Services

Tripwire Professional Services provides flexible service and support to meet your specific technical and deployment needs. If you would like Tripwire software deployment and implementation assistance, or additional training in using Tripwire software products, visit

http://www.tripwire.com or contact your Tripwire sales representative.

Tripwire Educational Services

Tripwire Educational Services provides hands-on technical training in installing, configuring, and maintaining Tripwire software. Courses are taught by Tripwire Certified Instructors. For more information about technical training, visit http://www.tripwire.com or contact your Tripwire sales representative.

(9)

(10)

(11)

1

Introduction to

Tripwire Manager

This chapter introduces Tripwire Manager, which you use to manage multiple installations of Tripwire software across a network.

If you are new to Tripwire software or to the concepts of data and network integrity, this chapter gives you the background that you need. If you have previous experience with Tripwire software, read about the new features in this release of Tripwire Manager before moving on.

(20)

Introduction to Tripwire Software

Tripwire software assures the integrity of critical data and network infrastructure by detecting and reporting change.

You configure Tripwire software to monitor the data that is important to you. Based on your configuration, the software creates a baseline snapshot of your data in a known good state.

After you establish the baseline, you run regular integrity checks to monitor your data. During an integrity check, Tripwire software compares the current state of data to the baseline and reports a violation for any change it detects.

You examine report files to help you evaluate changes to your data. To resolve malicious or unauthorized changes, you can take appropriate measures, such as restoring changed files.

If changes are acceptable, you can update the baseline database to include them so that Tripwire software no longer detects them as violations.

Baseline

Current Data Tripwire software stores a baseline

"snapshot" of your data

"This is how the data

should look." 1.

An integrity check compares the baseline to the current state

of the data to identify changes

"Is the data the same as it was?" 2.

Tripwire software reports a violation for each change it detects

"What changed?" 3.

Tripwire Software You examine changes and take

appropriate action. This may include restoring changed data or

updating the baseline.

(21)

Tripwire Manager System Architecture

The Tripwire Manager system consists of two main components:

Tripwire for Servers, a self-contained integrity assessment system that you install on each machine you want to monitor. Tripwire for Servers reports additions, deletions, or modifications to monitored objects.

Tripwire Manager, a Java application with a graphical user interface (GUI) that allows you to manage multiple installations of Tripwire for Servers software from a central location.

The most basic configuration is a single Manager that controls all Tripwire for Servers machines.

Multiple Managers can connect to the same Tripwire for Servers machine. However, only one Manager can make changes to a Tripwire for Servers machine at a time. See page 6 for more information.

(22)

How Tripwire for Servers Works

Tripwire for Servers is a self-contained integrity checking system that resides on each machine you want to monitor. Tripwire for Servers works in the same way, whether you use Tripwire Manager to manage machines or issue commands from the command line.

1. After installing Tripwire for Servers, your first step is to customize your policy file. In the policy file you specify which directories, files, or registry objects you want the software to monitor.

2. Next, initialize a database file. This database is a compact digital snapshot of the system in a known-good state. This serves as the baseline for integrity checks later on.

3. After initializing the database file, you may need to edit the policy file so that it better matches the system. This process is called “tuning” your policy file.

4. Run integrity checks. During a check, Tripwire software compares the current state of the system to data in the database file and reports any changes it detects. You can view reports with Tripwire Manager, send them via e-mail or SNMP trap, or write them to system log files. 5. Analyze reports to decide if changes to the system are authorized. 6. If you discover unauthorized changes, take appropriate measures,

including restoring files from backup, or changing security procedures to prevent further intrusions.

7. If you discover authorized changes, update the database file to reflect the changed state of the system. This prevents the software from flagging these same changes as violations in the future. After you resolve all of the changes, you can run another integrity check to verify the integrity of the system.

8. After integrity checks, you may need to update the existing policy file to monitor new files, or to change rules that generate noise in report files.

(23)

2. Initialize database file 3. Tune policy file 4. Run integrity check Changes permitted? 7. Update database file 6. Take appropriate security measures Yes No No 5. Examine report file Changes found? Yes Policy file working properly? Yes 1. Install software & create policy file

(24)

Using Multiple Tripwire Managers

Each Tripwire Manager can connect to a Tripwire for Servers machine in two ways. The number and type of connections for each Tripwire

Manager are controlled by its license file.

• With a Controlling connection, a Manager can perform any Tripwire task on a Tripwire for Servers machine. This includes checking integrity, viewing reports, and editing and updating files. • With a Viewing connection, a Manager can only view reports and files on a Tripwire for Servers machine. A Manager that can only have Viewing connections is called a Tripwire Monitor.

If your network has more than one controlling Manager, a Manager may be granted Controlling connections with some machines and Viewing connections with other machines at the same time. The type of connection a Manager has with a Tripwire for Servers machine is shown by its icon in the Machine List (page 11).

Controlling Connections with Multiple Managers

Multiple Managers can connect to a Tripwire for Servers machine, but only one Manager can have a Controlling connection for the machine. The first Manager registered to a Tripwire for Servers machine with a Controlling connection controls that machine. Until this Manager disconnects, other Managers can only establish a Viewing connection with this machine.

When the first Manager disconnects, the next manager that requested a Controlling connection will receive it, passing on the Controlling

connection in the order in which the Managers registered to that Tripwire for Servers machine.

You can change the hierarchy of control by disconnecting all Managers from a Tripwire for Servers machine, then adding them back in a new order (page 42).

(25)

New Features in this Version

Tripwire Manager includes a number of new feature in this release. These features enable you to:

• approve violations on machines by severity, or based on a template file. See pages 89-90.

• launch Tripwire Manager from an external application, without additional user input. See page 118.

• integrate Tripwire Manager with external applications when using the database update window. See page 143.

• select an object in a report file to locate the corresponding policy file rule, or add an exclusion. See page 72.

• track additional classes of events with the Event Tracking Flags configuration parameter. See page 22.

• verify passphrases on Tripwire for Servers machines. See page 101. • recognize communication problems between Tripwire Manager and

Tripwire for Servers machines. See page 12.

• adjust socket connect timeout value used with Tripwire for Servers machines. See page 48.

(26)

(27)

2

Tripwire Manager

Interface

This chapter describes features of the Tripwire Manager interface. The interface is information-rich, so understanding it helps you to get the most benefit from the software.

(28)

Tripwire Manager Windows

Tripwire Manager consists of five windows you can resize and rearrange to customize the interface.

A. Machine List shows Tripwire for Servers machines currently registered to this Tripwire Manager

B. Network Status shows the current status of Tripwire for Servers machines

C. Action Window provides quick access to commonly-performed tasks

D. Output Window shows feedback from Tripwire for Servers machines

(29)

Machine List

The Machine List shows information about the Tripwire for Servers machines registered to this Manager. Tripwire for Servers machines are arranged into groups. You can establish multiple levels of machine groups, as well.

The folder icon shows the severity of violations for the machines in that group, based on each machine’s most recent report file. See page 62 of the Tripwire Reference Guide for information on severity.

Red means at least one machine in the group has a high-severity violation Yellow means at least one machine in the group has a medium-severity violation, but no machines have high-severity violations

Blue means at least one machine in the group has a low-severity violation, but no machines have high- or medium-severity violations Green means no machines in the group have violations

Gray means that none of the machines in the group have report data and, therefore, severity cannot be determined for the group

Mixed statuses can occur. Group folders may have half-colors. For example, a folder that is half gray and half red, blue, or green indicates that one or more machines in the group does not have report data. The folder’s color represents the highest severity level violation for the machines that have report data.

(30)

The machine icon shows the severity of violations for that machine, based on its most recent report file.

A connection icon shows what type of connection this Manager has with the machine.

The Severity column displays the severity of the violations that have occurred on a given machine. The color coding for the Severity column is identical to the color coding described above.

The Type column indicates the type of violations that have occurred on a given machine. The violation types are indicated by different colors: • Olive green indicates that objects have been added.

• Teal indicates that objects have been removed. • Purple indicates that objects have been changed.

Red means the machine has at least one high-severity violation Yellow means the machine has at least one medium-severity violation, but no high-severity violations

Blue means the machine has at least one low-severity violation, but no high- or medium-severity violations

Green means the machine has no violations

A question mark means the machine does not have a current report file, or has not been polled for status.

You can update a machine’s status by right-clicking the machine and selecting Refresh Status, or by running an integrity check.

A red X means that the Manager cannot connect to this machine because of network or configuration problems. See page 108 for information on connection problems.

A wrench means this Manager has a Controlling connection with this machine, and can perform all Tripwire tasks. See page 6.

Glasses mean a Viewing connection. This Manager can view files and reports but cannot edit files or run integrity checks on this machine. The Connection Error icon means that communication between the Manager and this machine is disrupted. You may need to change the timeout settings for network communication. See page 108.

(31)

Creating a Machine List

In order for Tripwire Manager to monitor a machine (or machine group) you must include that machine in the Machine list. You can connect machines individually, or import a list. If you are connecting more than ten machines, it is faster to import a list.

To import a list of Tripwire for Servers machines:

1. Create a comma-delimited.txt file listing each Tripwire for Servers machine on a separate line, using this format:

machine_name,group,address,port#,memo,site,local • group is this machine’s Tripwire Manager group (page 11)

If you don’t want to group machines, leave this field empty. • address can be specified using an IP address or DNS hostname • site and local are the site and local passphrases for each machine If you omit any of the fields in the import file, leave that field’s comma as a placeholder.

2. Select Manager > Add Machines in the Tripwire Manager menu, then click Import and navigate to the import file.

(32)

To add Tripwire for Servers machines individually:

1. Select Manager > Add Machines from the menu. 2. Enter information for the machine you want to add.

• Use default port number 1169, unless a different port is specified in a machine’s agent.cfg file.

• If you use DHCP to assign IP addresses in your network dynamically, put the DNS-resolvable hostname for the machine in the Address field AND the Machine Name field.

3. Click Add to add more than one machine, and enter information for the next machine.

4. Click OK to register the machines, then provide the console passphrase for the Manager and the site and local passphrases for each Tripwire for Servers machine.

Grouping Machines

Tripwire for Manager also allows you to group machines with multiple levels of hierarchy. For example, you could create groups of machines according to geographical location, or departments in your organization.

To create a machine group:

1. Select the machines in the machine list, that you want to include in the group.

2. Choose Regroup Agents from the Tripwire Manager menu. 3. Select a group from the list.

or

Click New Group and give the new group a name from the resulting dialog box.

(33)

To create a nested machine group:

1. Select the machines in the machine list that you want to include in the group.

2. Choose Regroup Agents from the Manager menu. 3. Click New Group.

4. Choose the machine group that is to be the parent group from the list of defined machine groups.

5. Enter a name for the new child group. 6. Click OK.

Tripwire Manager creates the new group as a child to the parent group, with the selected machines as members of the new group.

(34)

Network Status Window

The Network Status pie chart shows four types of status information, using the data from current report files. The pie chart can reflect status information from all machines, or only the currently selected set of machines.

Click for a more detailed, printable version of any chart.

Machine Status shows current tasks for all machines

Report Summary shows all machines categorized by the highest-severity violation from each machine’s most recent report file. See page 62 of the Tripwire Reference Guide for information on severity.

Enterprise Integrity shows the total number of violations for all machines, categorized by severity level. All violations are expressed at the level of the highest-severity violation from each machine’s most recent report file.

Violation Types shows the type of violations (additions, deletions, or changes) for all machines

Machines without current report files (indicated by the icon) do not contribute data to Report Summary, Enterprise Integrity, or Violation Types charts.

When machines do not have current report files, you can refresh their status, or run another integrity check to produce a current report file.

Action Window

The Action Window provides access to common operations. You can also perform all of the Action Window tasks from the Machine menu

(35)

Output Window

The Output Window provides feedback from Tripwire for Servers machines. Tripwire for Servers machines also write this output to the log file specified in Preferences (page 48).

• Blue text indicates successful completion of Tripwire for Servers tasks.

• Red text indicates Tripwire for Servers tasks were unsuccessful. • Black text indicates Tripwire Manager-related information.

Main Window

The Main Window shows Tripwire files so that you can edit them. You can have multiple editing windows for multiple Tripwire for Servers machines open at the same time. Tripwire Manager keeps the currently active editing window highlighted and on top.

Selecting Windows to View

In addition to clicking on windows to open them, you can access any open window within the main window as follows.

To view a particular window in the main window:

1. Select View > Windows.

2. Select the window you want to view. 3. Click Switch to Window.

(36)

Configuration File Editor

The Configuration File Editor provides a method for setting the

configuration parameters for Tripwire for Servers machines. This editor consists of the following tabs:

• Files tab (page 19) • Checking tab (page 21) • E-mail tab (page 24) • Logging tab (page 27) • SNMP tab (page 30) • Other tab (page 32)

(37)

Files Tab

On the Files tab, you can set the following configuration options:

Policyfile Path to the policy file used for integrity checking. Default value:<TFS_root>\policy\tw.pol

Database File Path to and name of the database file. Default value:<TFS_root>\db\database.twd

Report File Path and name for report files. Tripwire for Servers writes report files to this directory on the local machine.

(38)

Site Key File Path to the site key file that signs the Tripwire configuration and policy files.

Default value:<TFS_root>\key\site.key

Local Key FilePath to the local key file that signs the Tripwire database file and (optionally) report files.

Default value:<TFS_root>\key\local.key

Temporary Temp directory for storing Tripwire for Servers

Directory temporary files.

Default value:/tmp in UNIX, system default temp directory in Windows

Policy Rights UNIX-style Read/Write/Execute permissions for the policy file.

Default value:644

Valid values: (3 octal digits)

Database UNIX-style Read/Write/Execute permissions for the

Rights database file. Default value:644

Report Rights UNIX-style Read/Write/Execute permissions for report files.

Default value:644

Config Rights UNIX-style Read/Write/Execute permissions for configuration files.

Default value:644

(39)

Checking Tab

On the Checking tab, you can set the following configuration options:

Loose Suppresses checking of some directory and registry

Directory key properties. This reduces duplicate violations

Checking (one for the change to an object and one for the change to its parent directory or registry key).

Reset Access Causes Tripwire for Servers to reset the access time of a

Time file system object to the value it was when the software accessed the object.

(40)

Enable Event Turns event tracking on. Event tracking provides

Tracking additional information about who made changes to files and registry keys, when they changed them, and what they changed. Note that a significant amount of server-side configuration is required to fully enable this feature. See the Tripwire for Servers User Guide for details.

Event Specify additional types of events for Tripwire for

Tracking Serversto track. See the Tripwire Reference Guide for

Flags details.

Traverse Causes Tripwire for Servers to cross file system

Mount mount points during integrity checks.

Points

Selecting this parameter may introduce security risks. If you check this parameter, we recommend you limit recursion by adding recurse attributes to the policy file.

Politeness Sets Politeness level (0-5). This setting lets you control the balance between CPU usage and the amount of time the operation takes to complete. The higher the number, the more CPU time Tripwire yields to other processes. At the default level of 0, Tripwire does not wait for other applications.

Allow Turns command execution on or off.

Command Execution

Execute as Specifies a user account to run command execution

User processes.

Dependency: Allow Command Execution must be on.

U

(41)

Global On Specifies an absolute path to an executable file, and any

Violation command-line options you want to pass to the executable. Executed for each violation detected. If a violated rule also uses the onviolation command, that command will run instead of this Global On Violation command for that object only.

If the path to the executable contains white space, it must be quoted. Use the same syntax as the onviolation attribute (see page 18 of the Tripwire Reference Guide). Valid values: an absolute path to an executable file Dependency:Allow Command Execution must be on

Max Specifies the maximum number of processes that

Command command execution can spawn for each integrity check.

Processes This does not affect the command spawned by the

Always Run Once parameter.

If this parameter is omitted or does not have a value, Tripwire for Servers can spawn an unlimited number of processes.

Valid values: any positive integer

Dependency: Allow Command Execution must be on

Always Run Specifies an absolute path to an executable file, and any

Once command-line options you want to pass to the executable. Executed exactly once after an integrity check, whether or not any violations are found. If a violated rule also uses an onviolation command, that command will run in addition to this Always Run Once command.

(42)

E-mail Tab

On the E-mail tab, you can set the following configuration options:

Mail Method The protocol for sending e-mail reports.

Valid values: SMTP, sendmail, or MAPI (for Windows) Default value: SMTP

SMTP Host The domain name or IP address of the SMTP server. Dependency: Mail Method must be set to SMTP

Valid values: IP address or domain name of SMTP server

SMTP Port The port number for SMTP.

Dependency:Mail Method must be set to SMTP Default value: 25

(43)

Mail Program Path and arguments to a mail program.

Dependency: Mail Method must be set to sendmail Case-sensitive:yes

A valid mail program must:

• be executable by the user account Tripwire for Servers is running under

• take an RFC822-style mail header

• list recipients in the To field of the mail header • ignore lines of a single period

From Address A resolvable From address for e-mail reports sent via SMTP or sendmail. This option does not work for MAPI. Valid values: one resolvable SMTP e-mail address Example: [email protected]

Case-sensitive: no (both [email protected] and [email protected] are acceptable)

Character Character set for Tripwire SMTP e-mail reports.

Encoding This option does not work for MAPI.

E-mail Report A level of detail for e-mail reports.

Level

Default value: 3 Valid values: 0 to 4

0 single line summary report; lists total adds, removes and changes

1 parsable list of all violated objects

(44)

Mail ‘No Causes Tripwire for Servers to send e-mail notification

Violations’ even when integrity checks detect no violations. For the

Reports highest security, set this parameter to true.

Localize Controls localization of e-mail reports on Japanese

E-mail locales. If your e-mail servers and clients do not handle multi-byte characters well, you can work around this by unchecking this option. When unchecked, e-mail reports are sent in English on Japanese locales.

Global E-mail E-mail addresses to receive (all) e-mail reports after each integrity check. When Mail ‘No Violations’ Reports is unchecked, reports are not sent when integrity checks detect no violations.

Default value: none

Valid values: any valid e-mail address or addresses

NOTE: You can delimit multiple e-mail addresses with semicolons. For more information, see page 10 of the Tripwire Reference Guide.

(45)

Logging Tab

On the Logging tab, you can set the following configuration options:

Syslog Causes Tripwire for Servers to log a record of database

Reporting initializations, integrity checks, database updates, policy file updates, and commands executed by Tripwire to a system log file.

In UNIX, by default Tripwire for Servers makes log entries to the syslog from the user facility at the notice level.

In the Windows operating system, by default

U

(46)

Syslog Host Causes Tripwire for Servers to log syslog entries to a

remote host or number of host machines.

NOTE: Without third-party tools, Tripwire for Servers cannot remotely log UNIX machine integrity check information to a Windows machine, or vice versa. Your syslog host must match the OS of the machine that generates the log information.

Valid values: \\remote_host

You can specify multiple remote hosts like this. Precede each host name with two \ characters:

W

SYSLOGHOST=\\host1 \\host2 \\host3 ...

Syslog Level of detail for syslog entries made for integrity

Report Level checks.

Dependency: Syslog Reporting must be set to true Default value: 0

Valid values: 0 to 2

Syslog No Causes Tripwire to log notification to the syslog when an

Violations integrity check detects no violations. For the highest security, activate this option.

0 single line summary syslog entry; lists total adds, removes, and changes

1 separate syslog entry for each violation 2 separate syslog entry for each violation;

entry shows that a violation occurred, and which properties were violated

(47)

Syslog Const Causes Tripwire to report all events that use a Tripwire for Servers executable, including events that do not change the state of Tripwire for Servers files (such as printing reports, examining encryption, or accessing help on the command line).

Localize Controls localization of syslog messages on Japanese

Syslog locales. To write Tripwire syslog messages in multi-byte characters on Japanese locales, check this option.

NOTE: Not all syslog utilities support multi-bye characters. To work around this, leave this option unchecked.

Audit Log Causes Tripwire for Servers to write audit log entries with the same level of report information specified by the

Syslog Report Level. Allows integration of Tripwire for Servers integrity check information with other

applications that read audit entries.

Syslog Facility Specifies the destination facility for syslog entries made by Tripwire.

Valid values: Varies by operating system (see table)

Syslog PriorityAllows Tripwire for Servers to access the numeric range

OS Valid values

UNIX user, local0 through local7, auth, authpriv

Default: user Windows application, system

(48)

SNMP Tab

On the SNMP tab, you can set the following configuration options:

SNMP Host Causes Tripwire for Servers to send an SNMP message trap to the specified host. The information sent is identical to a level 0 e-mail report (a one-line summary of total violations).

Valid values: IP address or domain name of SNMP host

SNMP Port Specifies which port on the SNMP host Tripwire for Servers should use for SNMP traffic.

Default value: public Valid values: any text string

(49)

SNMP Sets the community name in SNMP trap messages from

Community Tripwire for Servers. This option is only relevant for SNMP version 1.

Valid values: any text string

SNMP on Causes Tripwire for Servers to send an SNMP trap even

“No when integrity checks detect no violations.

Violations”

Determine IP Causes Tripwire to automatically determine the Network

address of Interface Card (NIC) to use for SNMP traps. Select this

server option only if your machine has one NIC.

automatically

Send SNMP Causes Tripwire to use the Network Interface Card (NIC)

traps from the that you specify for SNMP traps. Select this option if

following IP your machine has more than one NIC.

(50)

Other Tab

On the Other tab, you can set the following command-line-related configuration options:

Editor Sets an absolute path to a text editor for interactive integrity checks. (Interactive integrity checks allow an update of the database directly after an integrity check.) If the path to the executable contains white space, it must be quoted.

A valid text editor must:

• approve a file on the command line

• exit with 0 status on success and non-0 status on error.

Both vi and emacs satisfy the text editor requirements in UNIX. Both Notepad and Wordpad satisfy the text editor requirements on Windows.

(51)

If the configuration file does not specify an editor and no editor is specified on the command line, Tripwire for Servers uses the $VISUAL or $EDITOR environment variables. If these do not specify an editor, Tripwire for Servers displays an error message.

Machine Specifies a default level of detail for Tripwire report files

Report Level generated from the command line. Default value: 3

Valid values: 0 to 4

Machine Specifies a default format for Tripwire report files

Report generated from the command line.

Format

Default value: classic (plain text) Valid values: classic, HTML, XML

Database Specifies a default format for Tripwire database files

Printing printed from the command line.

Format

Default value: classic

Valid values: classic, HTML, XML

0 single line summary report; lists total adds, removes and changes

1 parsable list of all violated objects

2 summary report; lists violations by section and rule name

3 lists “added object” and “removed object” violations plus expected vs. observed properties for “modified object” violations

(52)

Database Specifies a default level of detail for Tripwire database

Printing files printed from the command line.

Level

Default value: 2 Valid values: 0 to 2

Late Causes Tripwire for Servers to delay the prompt for

Prompting passphrases until the last moment. This minimizes the amount of time a passphrase stays in memory.

0 summary of the database file, without objects

1 all objects in the database file

2 all objects in the database file, plus proper-ties monitored for each object

(53)

Policy File Editor

The Policy File Editor provides a method for you to quickly create or edit policy files through a graphical user interface. You can also use a text editor to edit policy files, if you prefer. For information on using the Policy File Editor, see page 72.

The Policy File Editor consists of two (for UNIX) or three (for Windows) tabs, which appear in the lower left of frame:

(54)

B. File System Displays the variables that exist in the File System section of the policy file (in the upper right pane) and the rules, exclusions, and rule blocks that exist in the policy file (in the lower right pane).

C. Registry Displays the defined variables that exist in the Registry section of the policy file (in the upper right pane) and the rules, exclusions, and rule blocks that exist in the policy file (in the lower right pane).

NOTE: The Registry tab appears only if you are working with a Windows machine.

(55)

Report Viewer

The Report Viewer displays violation reports generated by Tripwire for Servers machines. You also use it to update the database with report information.

The Report Viewer consists of three panes:

A. Main Pane Shows information about the open report files, and the violations within those files, in four different formats.

B. Object Pane Shows the children of any item selected in the Main Pane.

(56)

Main Pane

In the Main Pane you can switch between four tabs. Each tab provides you with a different view of the information in the open reports.

Reports Tab Shows all violations reported in the currently-open reports in a hierarchical tree structure. Report files are the top-level nodes in the tree.

Objects Tab Shows all objects in the open reports for which there have been violations and the number of machines on which the objects were violated.

Violations Tab Shows violations for all open reports as a list of entries. All times are expressed in the time zone of the Tripwire Manager machine.

Summary Tab Shows a pie chart of the number and severity of violations in all open reports. Click for a more detailed, printable summary of all current violations.

Detail Pane

The Detail pane displays details about the item that is currently selected. Icons denote any properties with unexpected values.

(57)

Report Viewer Icons

Report Files - This icon represents an open report file. The color of the icon reflects the severity level (page 62 of the Tripwire Reference Guide) of the most severe violation in the report: • Red reports have at least one high-severity violation

(severity level 66 or higher)

• Yellow reports have at least one medium-severity violation (severity level 33 to 65), but no high-severity violations • Blue reports have at least one low-severity violation

(severity level 0 to 32), but no high- or medium-severity violations

• Green reports have no violations

Errors - this icon represents errors that Tripwire software encountered during an integrity check. Errors could occur when: • Permissions prevent Tripwire software from scanning objects • Objects specified in the policy file are open for exclusive use

Report File Sections - this icon represents a section of the report file being displayed. The three possible sections are:

• Windows file system • Windows registry • UNIX file system

The section icons use the same colors as the report file icons (page 11) to display the highest severity level in each section of a report file.

(58)

Rules - This icon represents a report file rule that contains one or more violations. The color of the icon reflects the severity of the rule:

• Red rules have a severity level of 66 or higher • Yellow rules have a severity level between 33 and 65 • Blue rules have a severity level between 0 and 32

Added Object - This icon signifies that a new file, directory, or registry object has been added. The icons are color-coded to indicate severity, as described above.

Click on an Added Object violation to see detailed information about the new object in the Details Window.

Removed Object - This icon signifies that a file, directory, or registry object has been removed. The icons are color-coded to indicate severity, as described above.

Click on a Removed Object violation to see the expected property information for the object in the Details Window.

Modified Object - This icon signifies thatone or more of the properties that Tripwire software monitors for this object have changed. The icons are color-coded to indicate severity, as described above.

Click on a Modified Object violation to see both the expected and observed values for the object in the Details Window. Properties that have changed from their expected values are flagged.

(59)

Object Pane

The Object pane describes all the child objects of the object that is currently selected in the Main pane.

If you select an item in the Main pane, all of the child items are displayed in the Object pane. Click these objects to drill down for more detail. The Count column displays the number of machines on which violations with the same hash, object name, and origination were detected. Consider this example:

In this case, the count indicates that 100 machines have violations for the C:\test\DLLS object.

Object Count

(60)

Special Menu Options

This section describes menus that give access to special Tripwire

Manager features. Common features available in most software interfaces are not described.

NOTE: When Tripwire Manager has a Viewing connection (page 6) with a Tripwire for Servers machine, you cannot access some menu options for that machine.

Manager Menu

Add Machines - Register new Tripwire for Servers machines. You can add machines individually, or import a list of machines. See the Tripwire Manager Quick Start for more information.

Remove Machines - Unregister the selected Tripwire for Servers machines.

Synchronize Machines - Synchronize the Machine Lists for this Manager and another Manager, using a text file (see below). You can choose to add Tripwire for Servers machines, remove existing machines that are not in common, or do both.

Regroup Machines - Move all currently selected machines to a different group (page 14).

Export Selected Machines - Export the information for all selected machines to a text file. You can use this file to register the machines with another Tripwire Manager, or to synchronize another Manager’s Machine List with this one (see above).

Export Manager Report - Export a report file to an HTML file.

Change Tripwire Manager Passphrase - Change the Tripwire Manager passphrase (page 99).

(61)

Forget Tripwire Manager Passphrase - Immediately clear the Manager passphrase from memory.

Expand Machine Group - Expands the selected Machine Group (in the machine list view).

Collapse Machine Group - Collapses the selected Machine Group (in the machine list view).

Expand All Machine Groups - Expands all Machine Groups in the machine list.

Collapse All Machine Groups - Collapses all Machine Groups in the machine list.

(62)

Machine Menu

The Machine Menu provides access to the most commonly-performed tasks. You can also access most of these items from the Action Window (page 16) or by right-clicking a machine in the Machine List.

Edit Configuration File - Edit the configuration file (page 95) for the selected machines.

Edit Policy File - Edit the policy file (page 72) for the selected machines.

Edit Schedule File - Edit the schedule file (page 64) for the selected machines.

Open Integrity System - Open the integrity system for the selected machines. You can then edit and distribute the integrity system or save it locally (page 96).

Distribute File - Distribute a configuration, policy, or schedule file to selected machines.

Archive - Archive reports, policies, configurations, schedules, or integrity systems.

Integrity Check - Run an integrity check (page 58) for selected machines.

View Report - Examine the most recent report file (page 65) for selected machines.

(63)

Update Database - Update the database file (page 85) for the selected machines using their latest report file.

Initialize Database - Initialize the database file for the selected machines.

Approve Violations - Approve violations by choosing All, by Severity, or by Template.

Passphrases - Change passphrases using the following sub-menu options:

•Verify Machine Site and Local - Verifies what Tripwire Manger and Tripwire for Servers believe the passphrases are for the selected machine (page 101).

•Change Machine Site Passphrase - Change the site passphrase (page 100) for the selected machines.

•Change Machine Local Passphrase - Change the local passphrase (page 100) for the selected machines.

Refresh Status - Refreshes the Tripwire Manager information for the selected machines.

Cancel Current Task - Halts the current task being performed on the selected machines.

(64)

View Menu

The View menu controls the appearance of Tripwire Manager. From the View menu, you can:

• Hide or display Tripwire Manager windows to display agent information

• Restore the windows to their default configurations • Clear the contents of the Output Window

• Expand the Main Window to full screen size • Open the Preferences dialog

(65)

Preferences

In the Preferences dialog, you set preferences for Tripwire Manager.

(66)

Logging tab Specify a file for logging information. If audit logging is activated (by selecting the Require audit trail

information option), you must provide a reason when performing any operation that modifies the integrity system on a Tripwire for Servers machine. This includes editing files, changing passphrases, running an integrity check, initializing a database, or cancelling tasks. This information is displayed in the Output Window, and logged to the Tripwire Manager log file.

Updating tab Set the polling interval for Tripwire for Servers machines based on their conditions. By decreasing the intervals between updates, you increase the probability that Tripwire Manager accurately portrays a Tripwire for Servers machine at any given time, but at the cost of CPU and network performance.

You can decrease CPU and network load by increasing the interval between updates, but the Tripwire Manager’s display may be less in sync with the current state of Tripwire for Servers machines.

Timeouts tab Set timeout values for the amount of time that Tripwire Manager can be left inactive before prompting for the Tripwire Manager passphrase; set timeout values that Tripwire Manager should use to connect to machines. The default timeout settings should be sufficient for most

installations. If you have connection problems, see page 108 for more information on timeout settings.

Notification Set the conditions and parameters for notification

tab of down machines or new integrity data. Tripwire Manager can notify by sending e-mail (page 104), by executing a launch command (page 105), and by archiving report files (page 106).

E-mail tab Set the parameters for sending e-mail when Tripwire Manager uses e-mail as a notification method.

(67)

Policy Menu

Editing a Policy File (page 72) makes these items available from the Policy menu:

New - Create a new Variable, Rule Block, Rule, Exclusion, or Rules from Pattern.

Add Rule - Add a Rule.

Add Exclusion - Add an Exclusion.

FindElements - Locate the Rule or Exclusion for the selected file or registry object.

Find Objects - Locate the file or registry object for the selected Rule or Exclusion.

Move to Block - Move selected Rules or Exclusions to another Rule, Block, or to a new Rule Block.

Convert to Rule - Change selected Exclusions into Rules.

Convert to Exclusion - Change selected Rules into Exclusions.

Refresh - Update the contents of the files or registry items displayed in the Objects pane, synchronizing the display with the current contents of the machine.

(68)

Report Menu

Opening a Report Viewer or Database Update makes these items available from the Report menu:

Search - Search all open report files (page 66) for violations with certain criteria.

Filter - Filter all open report files (page 67) using the same criteria as Search. Once you specify a filter, the Report Viewer shows only violations that meet its criteria. You must turn filtering off or change your Search criteria to change this.

Filtering Off - Turn off the current filter. The Report Viewer shows a flat display of all violations.

Use the following options to select or unselect violations to approve in the database (page 86). These options are only available if the Database Update window is open:

Approve All Approve None Approve by Severity Approve Patch Approve by Template

Use the following options to expand or collapse the selected report file, or all open report files:

Expand Current Collapse Current Expand All Collapse All

(69)

Find Rule in Policy - Select an item in a report, and go directly to its rule in the policy file. The machine's policy file must also be open in a graphical policy editor.

Exclude Object from Policy - Select an item in a report, and create a new policy exclusion for it. The machine's policy file must also be open in a graphical policy editor.

(70)

Launch Menu

<User Defined Commands> - If you have defined your own launch commands, they appear at the top of the Launch Menu.

Edit Launch Commands - Edits launch commands.

Import Launch Commands - Imports launch commands.

(71)

(72)

(73)

3

Using Tripwire Manager

This chapter explains the operation of Tripwire Manager after you register and configure Tripwire for Servers machines. See the Tripwire Manager Quick Start for more information on configuring Tripwire Manager.

(74)

Normal Tripwire Operation

The diagram on the opposite page summarizes the operation of Tripwire software. Each of the steps in the process is described in greater detail in this chapter.

1. After configuring a Tripwire for Servers machine, you can run an integrity check at any time. Most users schedule regular integrity checks (page 64) for each machine in the network.

During a check, Tripwire software compares the data snapshot in the database file to the current state of the system and creates a report of changes.

2. If Tripwire software finds changes, you can view the report file to decide if the changes to the system are authorized (for example, caused by an OS update) or unauthorized (due to malicious or accidental changes).

3. If the changes are authorized, you should update the database file for that machine to reflect the current state of the system. This prevents these changes from being flagged as violations in the future.

If the changes are unauthorized, you should take appropriate measures, including restoring files from backup, or changing security procedures to prevent further intrusions.

4. After resolving all of the changes, run another integrity check to verify the integrity of the system.

5. After an integrity check, you may want to update the policy file for a machine to monitor new files, or to change rules that are generating unwanted noise in Tripwire report files.

(75)

R u n i n t e g r i t y c h e c k

C h a n g e s p e r m i t t e d ? U p d a t e

d a t a b a s e f i l e

T a k e a p p r o p r i a t e s e c u r i t y m e a s u r e s Y e s

N o

E x a m i n e r e p o r t f i l e C h a n g e s f o u n d ?

Y e s

P o l i c y f i l e w o r k i n g p r o p e r l y ?

N o Y e s

(76)

Checking Integrity

You can use Tripwire software to check the integrity of your system at any time. Most users schedule integrity checks (page 64) at regular intervals.

To run an integrity check:

1. Select a machine or group in the Machine List. 2. Select Machine > Integrity Check.

3. Select any desired options for this integrity check:

• Use the Selective Integrity Check options (page 59) to reduce the scope of this integrity check.

• Check Send E-mail Report to send an e-mail report of violations (page 62).

• Specify Matching options to determine if and how to apply wildcard patterns during the integrity check (page 63). 4. Click Run to launch the integrity check.

After an integrity check, you can view the report file with the Report Viewer (page 65).

(77)

Selective Integrity Check Options

During a regular integrity check, Tripwire applies the entire policy file to check a system. However, you can also run selective checks based on:

• severity levels

• specific rules or groups of rules • specific objects

You can also:

• ignore particular properties • apply specific policy file sections

• disable command executions associated with the integrity check • sign reports

• e-mail reports

(78)

Checking Based on Severity Level

To run an integrity check based on severity level, select Minimum Severity Level and specify a minimum severity level. For example, if you specify a minimum severity level of 50, rules with a severity of less than 50 will not be run.

Checking with Specific Rules Only

To run an integrity check with specific rules, specify them in the Rule to Check field. Keep in mind that rule names are case-sensitive, and must be quoted if they contain spaces.

For example, suppose you have a rule named “My Project.” When you run an integrity check with “My Project” in the Rule to Check field, only that rule is applied.

To apply several rules, you can enter a comma-delimited list of rules, or select from the recently-used rules in the drop-down list.

NOTE: Arranging rules in rule blocks also makes it easy to apply several rules at once. To apply all rules in a rule block, specify the rule block’s name in the Rule to Check field. For more information about rule blocks, see page 76.

(79)

Checking Specific Objects Only

To check specific directories, files, or registry objects, specify them in the

Objects to Check field, like this:

object object object...

/bin /usr

where object is the fully-qualified path to the object.

If the policy file is sectioned, specify section and object, like this:

section: object object... section: object object...

NTFS: C:\winnt C:\temp FS: /etc/cron.d

where section is NTFS, NTREG, or FS, and object a fully-qualified path.

NOTE: You cannot use this option in conjunction with the Minimum Severity Level or Rule to Check fields.

Ignoring Properties

To ignore certain properties during an integrity check, specify them in the

Properties to Ignore field. When Tripwire software runs an integrity check, collecting data for some properties— particularly hashes—can be time- and resource-intensive. To save resources, you can ignore these properties during the check.

List properties to ignore in the Properties to Ignore field, using the following format.

property,property,property...

p,u,g

section:property,property,section:property...

NTFS:access,readonly,write,NTREG:sdc,sacl

U

W

U

(80)

Checking Based on Policy File Section

To run an integrity check using only a particular policy file section, select that section from the dropdown list in the Section to Check field.

Disabling Command Execution

To disable command execution for the integrity check, select Disable Command Execution. When you select this option, all command executions will be disabled for the integrity check.

Signing Reports

If you specify Signed Report in the Integrity Check dialog box, the report file generated by the integrity check requires a local key passphrase to be opened.

NOTE: Signed reports are not an available option for scheduled events.

E-mailing Integrity Check Reports

You can configure Tripwire to e-mail integrity check reports. A Tripwire for Servers machine sends e-mail reports to all addresses specified in the

Global E-mail field of the Configuration File editor (page 24) for that machine.

You can specify the level of report detail included in the e-mail by choosing a level from the dropdown list next to the Level field of the Integrity Check dialog box.

You can also specify the format (text, HTML, or XML) for any e-mail generated by the integrity check. Select the format you want from the dropdown list next to the Format field in the Integrity Check dialog box.

(81)

Checking Based on Matching Wildcard Patterns

You can use wildcard patterns to specify objects to check during integrity checks. There are three options available for pattern matching during integrity checks:

• Perform the Default Matching: When you select this option, Tripwire checks objects based on the wildcard pattern specified in the policy file.

• Disallow Wildcards: When you select this option, Tripwire checks all objects, ignoring any wildcard patterns.

• Match the Pattern: When you select this option, Tripwire checks all objects that match the pattern you specify (superseding the wildcard pattern in the policy file):

• When a pattern includes (+), the software excludes every object that does not match the include pattern. You can specify

exceptions to the pattern with the - character.

• When a pattern excludes (-), the software includes every object that does not match the exclude pattern. You can specify exceptions to the pattern with the + character.

• Multiple patterns may be separated by commas. Consider these examples:

+*.dll,+*.txt Checks all .dll and .txt

files

-*.txt Does not check any .txt

files

+*.exe,-foo.exe Checks all .exe files

(82)

Scheduling Integrity Checks

Schedule files let you schedule periodic integrity checks for Tripwire for Servers. Integrity checks are the only events that you can schedule. When scheduling routine integrity checks, make sure that only one check is running at a time. For example, if you are running a full integrity check once a day, with incremental checks every hour, make sure that the daily check begins and ends between the hourly checks.

To schedule integrity checks for Tripwire for Servers machines:

1. Select a machine or group in the Machine List. 2. Select Machine > Edit Schedule File.

3. Click New to add a new event.

4. Select an interval in Event Type and provide details in Event Time. All schedule file times are expressed in the local time of the Tripwire for Servers machine on which the file is used. However, all times displayed in the Tripwire Manager Machine List are displayed in the time zone of the Tripwire Manager. If you are scheduling integrity checks for machines in different time zones, be sure to adjust the times appropriately.

5. Click Edit Integrity Check Options to specify options for this integrity check (page 58).

6. Select File > Save to Machine to save the schedule file on the machine it originated from.

To distribute the schedule file to multiple machines:

1. Select the machines or groups in the Machine List. 2. Select Machine > Distribute File.

(83)

Viewing Reports

You view Tripwire report files with the Report Viewer, which opens in the main Tripwire Manager window.

To open the most recent report file for a machine:

1. Select a machine or group in the Machine List. 2. Select Machine > View Report.

To enlarge the Report Viewer, select View > Full Screen View.

To open an older Tripwire report file:

(84)

Searching Reports

With the Search option, you can select a subset of violations from open Tripwire reports. The Search dialog lists violations that fit the specified criteria, even if the violations have been filtered out (page 67).

To search for violations in all open Tripwire report files:

1. Select Report > Search.

2. Enter the search criteria in the Search Opened Reports dialog. You cannot use wildcards (*, or ?) for keywords, and you must express all times in the time zone of the Tripwire Manager machine. 3. Click Search.

4. Double-click an item in the lower pane of the Search window to see more details.

(85)

Filtering Reports

You can filter report files to change the violations displayed in the Report Viewer. Filtering may also change the color of the report file icon (page 39) displayed in the Reports Tab.

The status of filtering is shown in the Report Viewer’s Status Bar.

To filter the violations displayed for all open Tripwire report files:

1. Select Report > Filter.

2. Enter the filter criteria in the Filter View dialog.

You cannot use wildcards for keywords, and you must express all times in the time zone of the Tripwire Manager machine.

Tripwire Manager. User Guide 4.5

Tripwire

Manager

User Guide

Document List

Document Conventions

Support Contact Information

Tripwire Professional Services

Tripwire Educational Services

Contents

1

Introduction to

Tripwire Manager

Introduction to Tripwire Software

Tripwire Manager System Architecture

How Tripwire for Servers Works

Using Multiple Tripwire Managers

Controlling Connections with Multiple Managers

New Features in this Version

2

Tripwire Manager

Interface

Tripwire Manager Windows

Machine List

Network Status Window

Action Window

Output Window

Main Window

Selecting Windows to View

Configuration File Editor

Files Tab

Checking Tab

E-mail Tab

Logging Tab

SNMP Tab

Other Tab

Policy File Editor

Report Viewer

Main Pane

Detail Pane

Report Viewer Icons

Object Pane

Special Menu Options

Manager Menu

Machine Menu

View Menu

Policy Menu

Report Menu

Launch Menu

3

Using Tripwire Manager

Normal Tripwire Operation

Checking Integrity

Selective Integrity Check Options

Scheduling Integrity Checks

Viewing Reports

Searching Reports

Filtering Reports