There are many good business, security, and compliance reasons for leveraging the extensive rule and policy engines of Fortra’s Tripwire Enterprise (TE) to implement Security Configuration Management (SCM) capabilities, which have been documented very well in other blogs. In contrast, this article deals more with “how can we fully leverage this capability” technically instead of “why” we use them.
TE policy tests enable a constant reportable gauge on profile-based, security-related configuration settings. The primary value of this capability is enabling organizations to identify security configuration settings that don’t meet expected profiles, enabling you to take remediation actions. A secondary value is enabling admins to easily validate and verify that system and application changes, like upgrades and security patches, do not affect these key settings, thus creating unexpected security exposures.
In a piece written by Jay Thakar, the key components of an SCM solution are described. We can drill down into each component and elaborate on the power of TE SCM policies:
- Configuration Assessment: Evaluating the current configuration of systems to identify vulnerabilities.
- Configuration Baselines: Establishing a set of security standards for systems and applications.
- Continuous Monitoring: Regularly checking systems for compliance with the established baselines.
- Remediation: Correcting any deviations from the baseline configurations.
Configuration Assessment
Configuration Assessment capabilities must be flexible and extensible to address the ever-growing number of technology stacks in customer environments. Key to this capability is the flexibility to address the large variety of “agentless” device types. One question that is often posed is,“Can testable elements be captured using a FileSystem or Command Output rule?” The answer is usually yes, although there may be technology-specific limitations and access control restrictions to capturing desired testable information within elements. It may require a creative approach using device APIs, like using PowerCLI within scripts to capture VMware data. There are other creative approaches using “External Rules” to map static data to node elements as well.
Configuration Baselines
Configuration Baselines represent the scope of discrete tests and acceptable values for a given technology stack. These baselines may address any number of business and technical objectives, ranging from platform hardening to audit compliance to state validation for other vendor security services, such as anti-virus and event forwarding. Configuration Baselines in TE are easy to build using extensive Out-Of-Box (OOB) Tripwire security benchmark policies/tests for NIST, CIS, or many others as templates.
The beautiful thing about Tripwire-provided benchmark policies is that they’re very thorough and support a broad spectrum of standard platforms, providing a quick and easy starting point. In addition, any template policy can easily be modified in terms of the scope of tests, acceptable test values, and the scope of nodes mapped to tests. The key here is determining what those modifications need to be.
Continuous Monitoring
Continuous Monitoring capabilities must be adaptable to meet a variety of reporting and alerting processes and management ecosystems. Any of the following methods can be used to determine when critical policy tests have changed from a “Passing” to a “Failed” state.
- By default, TE Home Pages with properly scoped Test Results Summary reports/dashboards provide an excellent, at-a-glance view of failures using colored pie charts with drill-down details. The ability to scope reports based on Smart Node Groups and different Configuration Baselines enables highly customized views for different audiences (Operations or Compliance).
- If there’s a Security Operations Center (SOC) using a Security Information and Event Management (SIEM) solution to monitor events, the Event Sender TE App can be customized to forward syslog events to your SIEM to communicate policy score changes and/or policy test results by node. These events can trigger other notifications and actions within the SIEM workflow.
- If Splunk is your SIEM solution, the Splunk App for TE provides excellent custom reporting and alerts of failed policy test, even across multiple TE consoles, also enabling integration of TE security data with other products.
Remediation
Remediation capabilities should enable customers to prescribe or automate remediation steps for failed tests, then detect positive remediation affects through continuous monitoring. Fortunately, the OOB TE policy test provides remediation steps which can be easily modified, if needed, and reported in detailed test results reports. After remediation, the policy rules and test should be re-run to ensure a “passing” state. These improvements in the passing percentage can be monitored easily using Scoring History reports.
Given the flexibility and adaptability of TE SCM policies, Tripwire Professional Services usually recommends the following approach:
- Identify the key infrastructure technologies within the scope of your SCM processes, which will likely be a variety of operating systems, network devices, virtualization platforms, databases, and applications.
- Whenever possible, keep the policy customizations as simple as possible, as there may be more than one workable approach to capturing, testing, and reporting data. For example, in some cases, multiple policy tests can be derived from the same element content captured. Always leverage existing policy tests from Tripwire content, where possible.
- Get your Audit and Compliance teams involved in design and review early on. Their input will guide development of Configuration Baselines, as well as Continuous Monitoring processes.
Tripwire Enterprise SCM policies integrate into broader security frameworks like Zero Trust by continuously monitoring and enforcing security configurations across all systems. The policies ensure that each component within the framework adheres to established security baselines, creating a unified and resilient defense. By mapping SCM policies to the broader security strategy, organizations can manage configurations in real-time, detect deviations, and respond swiftly to potential threats, enhancing overall security posture. To find out more about how we can help, visit us here.
