The systems in your environment are extremely important assets. There’s a reason that you’re trying to secure them. There are often many ways to think about these important assets. Some are used for financial information, some are web servers, and others store intellectual property and so on.
These same assets may be in many different locations around the country or the world. When the number of systems you’re managing reaches a certain level, automation of the system monitoring becomes a must and classification of the systems becomes an important way to prioritize and manage the information about your assets.
Tripwire Enterprise (TE) introduced Asset Tagging as a way to automate many of the ways you manage change and configuration information. The purpose of this article is to demonstrate how this is done in TE and you can use it as a powerful method of bringing important security information to the forefront.
Creating Asset Tags
Asset Tags give you a way to assign information about a System (a node in Tripwire) to the asset item. This also creates groups for those nodes in the Smart Node Groups area of the Tripwire GUI.
There are 3 common types of Asset Tags you may want to create.
- Tags for assigning Tripwire Rules to an asset
- Tags for what assets to include in Tripwire Reports
- Tags for administrative purposes
An example of a tag used to assign rules: tag an asset with an Linux -Oracle tag, then create a Tripwire Task that uses the Oracle application Rule (filesystem) and then indicates the node group Linux-Oracle for running the check. Any new assets that are assigned the tag “Linux-Oracle” will be automatically added to that group and then next time the Task created for that group runs that new asset with that tag will be baselined.
An example of an asset tag that deals with reporting is to assign a Threat Level to an asset based on the scan results from IP360. Any systems with a Threat Level that’s High may be automatically added to a report such as “new executable files added to the system”. Until the system is patched and rescanned, this report about an unpatched asset reduces the risk that the vulnerability was exploited by showing you any new executable files on that set of at-risk assets.
Example of an Administrative Tag could be “EG-Processed” to show that you’ve turned on the Tripwire Event Generator for that asset. Not used for reporting or checking, but still useful for the Tripwire Administrator. The first step is to create the asset tags to be assigned in the Tag Sets area of the Tag Management display.
In Screenshot 1 you can see that “Manage Tagging” was clicked on, then in the left pane “Tag Sets” was chosen. This brought the currently defined set of Tag Sets and their tags into view in the center pane. The right pane has some documentation with suggestions and help for creating Tag Sets and tags.
If you know what traits you’d like to assign to your various assets, then you’re ready to group them by their function and come up with a Tag Set name. Then add the tags that belong to that group to the tag set. Empty tag sets have a link called “add tags” across from the tag set name. Click on the “add tags” link and start entering the names in the space provided below the tag set name.
Once you’ve created all of the Asset Tags you need to classify your assets, the next step is to start assigning those tags to your assets.
Assigning Asset Tags Manually
You can manage tags for each asset (or multiple assets) from here by choosing the checkboxes next to each asset and then following the steps to manually assign asset tags. This is usually done for one-off assets or if there’s very little change in the list of assets tracked by Tripwire.
Check the boxes next to the names of the assets in the center pane you want to assign tag to and then notice the right side pane changes to show the “Edit Tags” button. Choose the Edit Tags button and the center pane changes to show the tags.
Next, you open up the tags set(s) by clicking on the > icon next to the tag sets you’re interested in using.
Once the tag sets are open, click on the tags you want to assign to the chosen assets. By clicking on the checkboxes next to the tags you want to use you’ve now assigned those tags to the assets. Click on the “Close” button at the bottom of the center pane when you’re done.
Assigning Tags using Tagging Profiles:
Tagging profiles are very convenient for doing automatic Tagging via the basic information Tripwire gathers from a system when it first reports into the TE Console. When a new asset first reports to the Tripwire console, it gives three basic areas of information: the hostname of the asset, the IP address of the asset, and the OS the asset is running.
Choose the “Manage Tagging” section in the left pane of the Asset View. Click on the 2nd item in the left-hand pane – “Tagging Profiles”. Make sure you’ve created the Asset Tags you want to assign before getting to this step else you won’t have anything to assign here.
I’ve added a set of locations to the Locations Tag Set. Start by clicking “New Profile” in the center pane of the display. The display changes and shows the asset tags in the center and at the top of the pane there’s a space to give the profile a name. This tagging profile will be “Tag Herndon Assets”. We will assign the “Herndon” location to the assets in 3 ways:
Tagging by Hostname:
There are several ways to tag by the hostname:
The Hostname Contains, Does Not Contain, Matches (Regex), Does Not Match (Regex). The easiest is “Hostname Contains”. I just enter “HERN” in the space below the “Host Name” and “Contains” dropdowns and if the asset has the letters “HERN” together anywhere in the hostname it will match and assign it to the Herndon location (choosing of the location happens in the section on “Choose Tags to Apply”).
To be more precise with the naming convention there is the Regex option. Click on the “Contains” dropdown and choose “Matches (Regex)”. The Java Regex is supported. So, if you want to ensure that only hosts with “HER” in the 3rd , 4th and 5th positions of the hostname match, in the space provided you’d enter:
The first two dots “..” represent the 1st character and then the 2nd character of the hostname. Then the HER in the naming scheme ( in this case ) means “Herndon”. Then the rest of the hostname follows. By using the “Add a new condition” you can get very precise with asset tagging. Add a 2nd condition by leaving the option at the top set to “All” for the Match “All” conditions. That means you AND together each condition.
Thus, if I add a second condition that the IP-Address much be in the 10.10.22.0 to 10.10.22.255 range as well, then only systems with HER in the 3rd to 5th positions of the hostname and have an IP address that falls into the correct range will get the asset tag you’ll assign with the “Choose Tags to Apply” section. If you want to match on any of the conditions (an “OR” case), then click on the “Match … contains” dropdown and choose “Any”.
Tagging by IP-Address
Tagging by the IP-Address range is straightforward. There are a few options for how you might setup that range though:
You may use a typical IP address range “10.10.22.0 to 10.10.22.255”. You may use Classless Inter-Domain Routing (CIDR).
Thus, any assets in the range you define will then have the Asset Tag(s) you pick in the “Choose Tags to Apply” section set to those assets.
Finally, you can set a node’s asset tag by the System Defined Tags. This means that when a node registers with the TE Console there are tags that are assigned to the node automatically. The OS for a filesystem agent, the Database type for a new database node and so on for each node type.
Typically, using the system defined tags allow you to tag assets in a more generic fashion, for instance: Any system type with Red Hat in it – Red Hat 5.3, Red Hat 6.1, Red Hat 6.3 can be lumped into a Red Hat group so that you can report on all of the Red Hat boxes from one group (or run the Red Hat rules against every version of the Red Hat OS that you have from one TASK).
Assigning the Tag
Once you’ve defined how to identify systems for a tag, now you need to choose the tag that the Tagging Profile will assign. Just under the Tagging Profile Name click on the “Choose Tags to Apply”.
The Available Tags appear – open up the Tag Set that defines what was tested for in the Conditions. Click the checkboxes next to the tags that apply. Click on the Save button at the bottom right of the display to save the Tagging Profile.
When a new node is added that matches the condition it will now automatically be tagged with the label assigned here.
Assigning Tags via Tripwire ACTIONS
Assets can also be tagged using a Tripwire Action. In the ACTIONS portion of the TE GUI you choose “New Action” and then choose the Common Action “Tag Action”. Like most Common Actions in Tripwire, they are usually attached to a Conditional Action. You can change an asset tag based on the content of a change that’s detected.
Give the new Tag Action a name and choose “Next”.
Choose the Tag Set that contains the tag you want to set then pick a Tag from the “Choose a Tag” dropdown.
As with all Tripwire Actions, the Tag Action must be attached to another Action, to the Action tab of a Rule or in the Action tab of a Task.
A change must be detected before the Action will run. So, Tag Actions are excellent for dropping an Asset into a particular Smart Node Group for reports when changes to specific files or certain configuration changes are made.
Assigning Tags via TECommander Calls
There is one more way to assign asset tags. The Tripwire Professional Services group has produced a Command Line tool to interact with the Tripwire Console. TECommander takes the Tripwire RESTAPI calls and exposes them via a command line tool thus making scripting of TE Console interactions possible.
One possible implementation is to use a script that can look up information from Tripwire or from other sources (CMDB, a spreadsheet, etc) and use that information to make decisions on tagging assets. The example in the script screenshot shows TECommander retrieving information from Tripwire Elements, testing the content and then Asset Tagging the asset based on what was found in the element contents.
To Asset Tag new nodes when they are discovered, setup an Asset Tag Set for Administrative processing. One of the Tags is shown in the screenshot is “Processed”. Any node that has the Tripwire Event Generator turned on or another other on-board processing will have the “Processed” tag set (once you’ve implemented based on the steps below). Given that any asset that is “Untagged” in that Tag Set hasn’t been processed you now have a set of “unprocessed” assets in a group that can be handled at one time.
The “Untagged” grouping of a Tag Set does NOT show up in the Smart Node Groups. So, how can you access that information when you want to work on “Untagged” assets? Create a “Saved Filter”! A saved filter allows you to create a Smart Node Group that includes assets that are “untagged”.
Once you have the Assets in the Saved Filter named, for example — “Unprocessed Assets”, you can then take action on those assets. Setup a Task that uses the “Unprocessed” assets, choose a Rule to run on the Unprocessed Assets, say, look for a particular application on the systems.
Then create an Execution Action that you call from the Action portion of the Task – and call the TECommander Script you’ve created. Test the asset for information you’re interested in (from the initial baselined information) and then Tag the asset with the Asset Tags based on your script logic.
The execution action to call the script (in the screenshot below) would look like this:
The execution action for this script is set to run every time the task is run even if no changes are found. But it will only do something if there are Nodes in the Saved Filter we setup. Once the “Processed” tag is set on an asset it will no longer be in our Saved Filter. Thus, only new TE nodes will be processed by this script — just one time.
Scripting is a little more complicated, but gives you the ultimate in flexibility. Tripwire Professional Services group often builds integrations and custom logic for our customers using TECommander and other integrations tools. Just ask your sales rep if you require their expertise.
Combining Tags with Saved Filters
Saved Filters allow you to combine asset tags. If you want a group of systems that are in one location and have a particular OS, say, “Herndon” nodes that are running “Oracle”. Click on the “Saved Filters” entry in the left pane, click on “New Saved Filter” button at the top of the center pane. Then give the Saved Filter a name, say “Herndon Oracle Servers”. Then click the checkboxes next to the Location “Herndon” and the Application “Oracle”.
All assets that have both of those asset tags will show up in that saved filter group in the Smart Nodes Group view. That way, if you have MS-SQL nodes in Herndon as well you can create another Saved Filter for Herndon-MSSQL. Then you have the equivalent of 2 DB types nested under Herndon.
And, as noted above, Saved Filters are the only way to take a set of “Untagged” assets and make them visible as a group in the Tripwire Smart Node Groups.
The Asset Tag functionality in Tripwire Enterprise makes management of TE much easier and is another great way to integrate with other products so that information can be shared. At more and more large customers, TE has become the glue between several other security products as well as adding valuable information about unexpected modifications to those products. By using Asset Tags along with the the TECommander script, integrations with TE have helped to break the silos of security information making a combination that is more powerful than the applications alone.
- Speeding Up Grep Log Queries with GNU Parallel
- Integrating High Performance Open Source Netflow Capabilities into Your SIEM
- Unified Security Configuration and Vulnerability Management
- How to Detect the Heartbleed OpenSSL Vulnerability in Your Environment
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock