Tripwire Enterprise (TE) is at its heart a baselining engine. It’s been built to take information, create a baseline of it, and show when that baseline has changed. (It’s called a “version” in TE terms.)
TE starts with a baseline version designated by an organization’s security teams. At some point, a change version with new information (file, registry entry, RSoP, command output, or data captured in some other way) emerges. If the change was expected, TE helps customers to promote the change to the baseline. The current state of the information then becomes the new baseline. The baseline for each system is the current system state.
Change Management: Not All Changes Are Equal
When it comes to change management (aka file integrity management), however, not all changes are equally interesting for security, risk and compliance, or IT. There are files that change on a system constantly. These include log files, cache files, database records, and the like. Are there any security implications when those files change? Are there any change management implications of changes to those files?
Why yes, yes there are important reasons to track changes to those files. But not so much for the content changes. For log files, you should have processing in place to immediately send those to a centralized logging and alerting solution (like Tripwire Log Center, for instance). That way, even if someone tampers with the logs on a system, Tripwire Log Center or another solution has already received, hashed, and secured the real logs. This helps to preserve the real log files as the source of truth, thereby recognizing that cache files and temporary “tmp” files are not normally tracked for content changes.
Given that the logs are preserved, do you even need to track the log files? Well, if the ownership or permissions on those volatile files change, that should be known, tracked, and approved. Generally, the permissions of logs and temporary files are not modified once they are set. It goes without saying that those permissions should be set as securely as possible.
How Tripwire Can Help
You can monitor those log files with Tripwire, but if you’re using the Tripwire Event Generator that watches for file changes in real time, you can end up generating more load on the system than you might be willing to sacrifice.
So, how can you track files that constantly change for permission changes without adding a lot of load to your system?
The Tripwire Command Output Capture Rule (COCR) is the safest way to handle log tracking. By running a command to list the file permissions of the log files you need to monitor, you get a baseline of how the permissions are currently set. You should have a Tripwire secure configuration management (SCM) check, as well, to ensure the permissions meet your security standard for those log files. The COCR rules in Tripwire are not seen by the Event Generator. They won’t run in real time, and they won’t generate load on your system. You use a Tripwire Task to check the files on a scheduled basis and ensure the permissions stay secure. If the permissions have changed, they’ll show up in the COCR and produce a difference.
In reality, this type of change event doesn’t happen often, so there should be a check for it. If and when such an event does happen, then it’s important to check into it, as log permissions shouldn’t be changing to anything less secure. If they are made more secure and that change was expected, then you can approve the change and go on.
Permission changes to system log files open the door to allowing malware or malicious hackers to cover their tracks, so ensuring your log files are as secure as possible is one very important risk-reduction step that Tripwire can help you track. Some Tripwire customers in the past turned off log file tracking because they used the file system rules, which added too much load to their systems. Using the COCR rule method gives you the ability to secure the log files without putting undue load on your systems. If you need real-time tracking of the log file permissions, now you understand the trade-offs getting the “who” information brings. Check with your Tripwire Systems Engineer if you need direction in identifying which logs should be monitored and for getting those COCR rules in place.
Want to learn more about how tracking changes can help you to prevent a data breach? Join Tripwire on September 21 at 10 a.m. PT for “Tripwire Tips and Tricks: Change Reconciliation.” I will lead the discussion and walk attendees through steps for ensuring configurations meeting organizational standards, detecting changes across your entire IT service stack, and setting up workflow to automate the review of those changes, even in real-time.
You can register for the webinar here.