As we know, Tripwire Enterprise (TE) is the de-facto go-to solution for File Integrity Monitoring (FIM). In normal operations, we deploy a TE agent to a system we want to monitor. TE then uses that agent to baseline the system against the appropriate rules, creating a known good state for that system. Moving forward, that system is monitored for change per the rules that were used to create the baseline.
The list of supported operating systems for a given version of TE is fairly extensive, so most of what I may want to run in my datacenter will be supported.
Agent-Based vs. Agentless Monitoring
Notice that I said “most” above and not “all.” This distinction is important because I’m not using an agent for everything. Agents sit on external devices that require O/S compatibility, notes Security Boulevard. As a result, my ability to scan some of my assets using agents is limited.
So, I might decide to go the agentless route. Doing so could allow me to conduct those assessments without needing to worry about compatibility issues. There’s a host of other security and operations reasons that could motivate me to make this choice, as well.
That raises an important question: can I still use Tripwire Enterprise for agentless monitoring? How do you enforce FIM on operating systems that have reached their end-of-life for support or on endpoints that aren’t able to have agents installed?
FreeBSD as an Example of Agentless Monitoring
Let’s use that FreeBSD system over there as an example. Can I use Tripwire Enterprise to monitor it? Well, yes. Yes, you can. TE provides the ability to monitor an unsupported system via SSH, or Secure SHell. Being that FreeBSD has never been a platform supported by TE and that there is no content available for it, we need to figure out what to monitor and build those rules accordingly.
The first step is to create a new node within TE. With that done, we can determine what we want to monitor and build the rules from there. FIM on our FreeBSD node is then possible.
What follows is baselining the node, scheduling the evaluation of the node and reporting on any changes. So, the complete sequence looks something like this:
- Create the node within TE
- Determine what to monitor
- Build appropriate rules
- Schedule monitoring
Tripwire’s Upcoming Webinar
I’m going to run through this example in detail on April 27 at 10 a.m. PT for the second webinar in the Tripwire Tips and Tricks series. We will create a new FreeBSD node and take a look at the rules which have been created to monitor it. We will also take a look at how building new rules for an unsupported O/S makes use of built-in O/S utilities.
The purpose of this webinar to learn how to use agentless monitoring so that attendees can broaden the impacts of your cybersecurity program. Our main focus will be FIM, TE and the FreeBSD example. But it’s important to note that agentless monitoring doesn’t end there for Tripwire. There’s also Tripwire Data Collector (TDC), a supporting product for TE which allows for both FIM and Security Configuration Management (SCM). (Our SSH-based example is FIM only.) We’ll touch on TDC in our session.
This installment of the Tripwire Tips and Tricks series is geared towards all types of customers including those who might looking to make the most out of their Tripwire investment as well as those who are on the market for a new security solution. There will be a Q&A session at the end, at which point I’ll be happy to answer any questions.
More information about the webinar including registration details is available here.