using tripwire enterprise 8 - university at buffalo · 2020-01-06 · the using tripwire enterprise...
TRANSCRIPT
USING TRIPWIRE ENTERPRISE 8.3 SUPPLEMENTAL GUIDE
TRIPWIRE PROFESSIONAL SERVICES
v2.1
1 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
TABLE OF CONTENTS
Table of Contents .......................................................................................................................................... 1
1 About this Guide .................................................................................................................................... 4
1.1 Revision History ............................................................................................................................ 4
2 Introduction to Tripwire Enterprise ....................................................................................................... 5
2.1 Exploring the Console Interface .................................................................................................... 6
2.1.1 Manager Bar and Tabs .............................................................................................................. 6
2.1.2 Button Bar ................................................................................................................................. 6
2.1.3 Interface Toolbar ....................................................................................................................... 8
2.1.4 Tree Pane and Main Pane ......................................................................................................... 8
2.1.5 Status Bar .................................................................................................................................. 9
2.2 Managers and Objects ................................................................................................................ 10
2.3 New Features in Tripwire Enterprise 8.3 .................................................................................... 12
3 Getting Started .................................................................................................................................... 13
3.1 Installing Tripwire Enterprise ...................................................................................................... 13
3.2 Accessing the Console ................................................................................................................. 13
3.3 Fast Track .................................................................................................................................... 14
3.4 Logging In to the Console ............................................................................................................ 20
3.5 Change Your User Password ....................................................................................................... 21
3.6 Setting User Preferences ............................................................................................................ 22
3.7 Check the Version of Tripwire Enterprise ................................................................................... 23
4 Using Asset View .................................................................................................................................. 24
4.1 Tagging Best Practices ................................................................................................................. 25
4.1.1 Guidelines for Using Tags ........................................................................................................ 25
4.1.2 Tagging Tips and Tricks ........................................................................................................... 25
4.1.3 Tagging Strategies ................................................................................................................... 26
4.2 Filtering Assets ............................................................................................................................ 27
4.3 Viewing and Selecting Assets ...................................................................................................... 28
4.4 Manually Applying Tags to Assets ............................................................................................... 29
4.5 Working with Tags and Tag Sets ................................................................................................. 30
4.6 Working with Saved Filters ......................................................................................................... 31
2 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4.7 Working with Tagging Profiles .................................................................................................... 32
5 Standard Operations ............................................................................................................................ 33
5.1 Create a Group ............................................................................................................................ 33
5.1.1 Node Groups ........................................................................................................................... 34
5.1.2 Smart Node Groups ................................................................................................................. 34
5.2 Create an Object ......................................................................................................................... 36
5.2.1 Create a Rule ........................................................................................................................... 37
5.2.2 Create a Task ........................................................................................................................... 42
5.2.3 Create an Action ...................................................................................................................... 44
5.2.4 Create a Report ....................................................................................................................... 44
5.3 Move an Object ........................................................................................................................... 47
5.4 Link/Unlink an Object .................................................................................................................. 48
5.4.1 Link a Node .............................................................................................................................. 49
5.5 Delete an Object ......................................................................................................................... 50
5.5.1 Delete a Node ......................................................................................................................... 50
5.6 Import/Export an Object ............................................................................................................. 52
5.7 Baseline a Node .......................................................................................................................... 54
5.8 Check a Node .............................................................................................................................. 56
5.9 Viewing Changes ......................................................................................................................... 57
5.10 Promoting Changes ..................................................................................................................... 59
5.11 Viewing Reports and Dashboards ............................................................................................... 63
6 Node Operations.................................................................................................................................. 65
6.1 Onboarding Agent Nodes ............................................................................................................ 65
6.1.1 With Smart Node Groups Enabled .......................................................................................... 65
6.1.2 Without Smart Node Groups Enabled (Legacy Feature) ......................................................... 65
6.2 Event Generator and Enable Real-time Monitoring ................................................................... 67
6.2.1 Configure on a Single-node Basis ............................................................................................ 67
6.2.2 Configure in Bulk ..................................................................................................................... 68
6.3 Create a Custom Node Type ....................................................................................................... 69
6.4 Create the Custom Node ............................................................................................................ 70
6.5 Unlicensing a Node ..................................................................................................................... 74
7 Rule Operations ................................................................................................................................... 76
3 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
7.1 Tune a Rule ................................................................................................................................. 76
7.2 Configure Real-time Monitoring for Rules .................................................................................. 78
8 Policy Operations ................................................................................................................................. 79
8.1 Using the Policy Manager ........................................................................................................... 79
8.2 Creating a Policy Waiver ............................................................................................................. 82
9 Other Operations ................................................................................................................................. 85
9.1 Configure the Login Method ....................................................................................................... 85
9.2 Support Data ............................................................................................................................... 88
9.3 Create a Promotion Approval Template ..................................................................................... 90
9.4 Using Home Pages....................................................................................................................... 92
9.4.1 Alerts Widget .......................................................................................................................... 97
9.5 Create a Custom Property ........................................................................................................... 98
4 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
1 ABOUT THIS GUIDE
The Using Tripwire Enterprise 8.3 Guide provides a task-focused look at operating Tripwire Enterprise
(TE). The goal of this document is to empower you with clear instructions to accomplish specific tasks
and procedures within TE. The result is a practical look at operating TE to realize its maximum benefit.
NOTE: This guide is designed to complement, rather than replace, the Tripwire Enterprise 8.3 User
Guide. The User Guide provides a more comprehensive overview of TE functionality.
1.1 Revision History
This document has been updated to reflect improvements and new features available in TE version 8.3.
For specific details on the revision history, please consult the table below:
Date Author(s) Version Change Reference
9/2/2011 Gail Powell Version 1.0 TE 8.1 Initial Draft
9/22/2011 Gail Powell Version 1.1 TE 8.1 Final Draft
4/18/2014 Daniel Kuhn Version 2.0 TE 8.3 Update Draft
5/21/2014 Daniel Kuhn Version 2.1 Minor Updates
5 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
2 INTRODUCTION TO TRIPWIRE ENTERPRISE
Tripwire Enterprise (TE) is a File Integrity Monitoring (FIM) and Security Configuration Management
(SCM) tool designed to be flexible in its monitoring of changes to systems, devices, and applications. TE
supports file servers, database servers, directory servers, network devices, and virtual infrastructure
systems out of the box. There is additional functionality to support other devices and systems through
the use of custom nodes.
The change detection core of TE can be understood with the knowledge of a few terms:
A node is a monitored device or system. Examples of nodes include file servers, database
instances, or even network devices. TE supports many different node types.
A rule defines a set of data to monitor. This could be a specific file or directory, or it could be the
results of a database query or command, for example. Just like there are many node types,
there are many rule types.
When you perform a check of a node with a rule, the result is an element. An element is the
monitored data, as defined by the rule and returned by the node.
An element, itself, is made up of versions. Think of an element version as a snapshot of the
monitored data at some point in time.
TE looks for changes to monitored elements. The first time a rule is ran (or “checked”) against a
node, a baseline element version is created. This baseline version is what future checks are
compared to when TE is looking for changes. (The process of performing this initial check of a
rule against a node is also called “baselining”, as the baseline element version is what results.)
If a change is detected, TE classifies the change as one of three types: addition (a file is added,
for example), deletion (a file is deleted, for example), or the most common, modification (the
contents of a file or its attributes have changed, for example). This detected change is then
saved as a new element version of that change type.
As you can imagine, over time TE will keep adding to this element history by creating new
change versions when changes are detected. In situations when the change that TE detected
was expected or known (in other words, a “good” or “authorized” change), a user can promote
that newly detected change version to become the new baseline version. This new baseline
version becomes the “current baseline” version for which future checks are compared against,
and the change detection process continues as before.
This interaction of nodes, rules, elements, and versions defines the core of TE.
6 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
2.1 Exploring the Console Interface
The Console Interface is a web-based GUI that provides a means to operate, administrate, and maintain
TE. The Console Interface is comprised of two main panes and multiple toolbars and tabs.
2.1.1 Manager Bar and Tabs
The Manager Bar provides easy access to each of the different Managers within TE. Each Manager
controls a different component of TE. The tools and actions available in each Manager are unique to the
functionality of its component. For a description of each Manager, see Managers and Objects.
Navigating between Managers is as simple as clicking on the desired Manager from the Manager Bar.
Selecting a Manager from the Manager Bar displays a set of Tabs along the top of the interface (just
below the Manager Bar). Each Tab contains a sub-set of functions and data for the selected Manager.
2.1.2 Button Bar
The Button Bar consists of buttons that initiate TE functions. The actual buttons available in the bar
depend upon the currently selected Manager and Tab.
Additionally, some Managers have expandable button sets that are toggled by clicking the
corresponding special button (such as those special buttons labelled “Manage”, “Control”, or “Modify”).
The toggle state can be observed by looking for the direction of the black arrow to the right of the label
7 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
on these special buttons. If the arrow is pointing to the left, the button set is expanded. If the arrow is
pointing to the right, the button set is collapsed.
NOTE: Some buttons in the button bar may be disabled until you select an appropriate object for that action. Similar to the Manager bar, some buttons may be permanently disabled based upon the permissions granted to your user account.
The label button (far left-side of the button bar) toggles the display of text labels through three states:
Show all labels
Hide all labels
Show the label of a button only when you hover over the button
If the label button appears as follows, all labels are shown:
If the label button appears as follows, all labels are hidden:
If the label button appears as follows, labels are shown as you hover over the button:
8 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
NOTE: The “Import” button has been hovered over and its label is displayed. No other labels are
displayed.
Toggle the different views by clicking on the label button until you find your preference.
2.1.3 Interface Toolbar
The Interface Toolbar is located in the upper-left corner of the window just below the Manager bar.
While this toolbar is present across nearly all TE windows (including pop-ups), the specific buttons
within the toolbar depend upon the window context. This toolbar consists of three buttons:
The Refresh button updates displayed data with the latest information. It is recommended that you do
not use your web browser’s refresh button to refresh data in the TE interface.
The Help button opens TE’s in-application, context-sensitive help system.
The Logout button ends the current user session. This is preferable over simply closing your web
browser since it gracefully closes all tables, indices and releases your session.
2.1.4 Tree Pane and Main Pane
The Tree Pane displays the hierarchy of groups used to organize objects in the selected Manager. If you
select an object in the Tree Pane, information about that object is displayed in the Main Pane. For
example, selecting a group from the Tree Pane will display all objects within and sub-groups of the
selected group in the Main Pane. To execute an operation on an object (such as a rule check, promotion,
or other activity), you must first select the object’s parent group in the Tree Pane. Then select the object
from the list in the Main Pane and initiate your desired operation. Below is an example from the Node
Manager.
9 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
Users can “drill down” using the Tree Pane. Any place you see a “+” icon adjacent to an object, it means
there are children underneath it. Clicking the “+” will expand the object so its children are visible.
For example, when looking at the Node Manager, you will be able to expand the Root Node Group to
find a few children node groups. Expanding those will likely reveal more children node groups. Selecting
a node group from the Tree Pane will display the nodes (and possibly node groups) it contains in the
Main Pane. Ultimately selecting a node from the Tree Pane will display either the rules and /or rule
groups baselined against the node (if the “Detailed node view” Tree Option is enabled, which it is by
default) or all of the associated elements for that node in the Main Pane. This process of expanding
deeper into the tree is known as “drilling down”.
NOTE: If you have the “Detailed node view” Tree Option enabled (as it is by default), you will be able to
“drill down” past the node level as well. Doing so will reveal the rules and rule groups that have been
baselined against the node. Selecting a rule group object from the Tree Pane will display the rules (and
possibly rule groups) it contains in the Main Pane. Ultimately selecting a rule from the Tree Pane will
display the associated elements that exist from that node and rule combination in the Main Pane.
2.1.5 Status Bar
The Status Bar is located at the bottom of the window and displays the name of the current user and
which Manager they are viewing. Certain Managers also support a filter to control which objects are
visible. You can click on the username to view and edit the settings for that user account. Similarly, you
can click on the filter status to view and edit the filter settings for that Manager.
10 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
2.2 Managers and Objects
TE functionality consists of several different components. Each Manager controls a different component
of TE. You use each Manager to manage different types of objects, some of which are unique to specific
Managers.
Home Page Manager
o Allows a user to create, edit, duplicate, organize, assign, or delete home pages. Home
pages are configurable pages that display information about TE or monitored systems
through dashboards, reports, alerts, and more. This Manager is typically used by
managers or other non-administrative users, who have little or no need to access data
from different manager components, to get a quick overview of the state of their
environment.
Node Manager
o Allows a user to create, import, export, edit, duplicate, organize, delete, check, baseline,
and promote nodes and node groups. Users can also manage file system agents and
licensing of nodes. Nodes represent monitored assets (servers, systems, devices, etc.).
TE ships with a variety of supported node types such as file server, database server,
directory server, network device, and virtual infrastructure nodes. The Nodes tab of the
Node Manager has historically been the place to manage all facets of nodes, but that is
changing. The Asset View tab contains Asset View, which is inheriting the administrative
and operating features of the Nodes tab. This transition is intentional, as moving from a
static tree hierarchy of asset management to a dynamic tag-based system provides
many benefits. The most visible example of this transition is the presence of both
regular Node Groups and Smart Node Groups. Regular Node Groups are managed
through the Nodes tab while Smart Node Groups are managed through Asset View. For
more information, see Using Asset View.
Rule Manager
o Allows a user to create, import, export, edit, duplicate, organize, or delete rules or rule
groups. Rules define the data and/or objects to be monitored on a node. TE ships with a
variety of rule types such as file server, database server, directory server, network
device, and virtual infrastructure rules.
Action Manager
o Allows a user to create, import, export, edit, duplicate, organize, or delete actions or
action groups. Actions initiate a response to changes detected by TE or failures
generated by policy tests. TE ships with a variety of action types such as e-mail
notification, auto-promote, SNMP, syslog, and content conditional actions. Actions can
be applied to nodes, rules, or tasks.
11 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
Task Manager
o Allows a user to create, import, export, edit, duplicate, organize, delete, enable/disable,
and execute tasks or task groups. Tasks run a TE operation on a manual or scheduled
basis. TE ships with three task types: check rule, baseline rule, and report tasks.
Policy Manager
o Allows a user to create, import, export, edit, duplicate, organize, and delete policies,
policy tests, or policy groups. Users can also promote, execute, and waive policies. A
policy measures the degree to which configurations of monitored systems are in
compliance with an industry or corporate standard. A policy test determines if a
monitored system complies with a specific requirement of a policy. TE ships with three
policy test types: content, attribute, and Windows ACL tests.
Log Manager
o Allows a user to view, search, export, and delete log messages. A log message is a
record of user or network activity created by TE. It contains who, what, where, and
when data for each user action.
Report Manager
o Allows a user to create, import, export, edit, duplicate, organize, or delete reports,
dashboards, or report groups. Reports compile and display data about the monitored
systems in TE. Dashboards are a user-defined collection of reports that are generated at
the same time.
Settings Manager
o Allows a user to control the features, application parameters, system preferences, and
user preferences for TE.
12 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
2.3 New Features in Tripwire Enterprise 8.3
New licensing options. You can now license individual monitored assets for Change Auditing,
Policy Management, or both for an Integrated Security Configuration Management (SCM)
solution. In previous versions of Tripwire Enterprise, a node required a Change Audit license to
enable Policy Management functionality, but these license types can now be applied
independently.
Enhanced workflow for managing nodes and resolving errors in Asset View. You can now
restart, enable, and disable multiple nodes from the Asset View tab at the same time. In
addition, you can test the connection to file system nodes from the Asset View tab to help
diagnose connection errors.
Support for SCAP-based content. The SCAP (Security Content Automation Protocol) 1.2
standard is an emerging collection of standards developed by the NIST (National Institute of
Standards and Technology). Tripwire Enterprise can be used to import SCAP-based content,
interact with that content, run scans, and view scan results. In Tripwire Enterprise 8.3, this
functionality is available via an API. For more information on using TE with SCAP-based content,
see the Tripwire Enterprise SCAP Guide.
Improved performance when a server node is unreachable. When Tripwire Enterprise cannot
access a file server node during a baseline operation or version check, it now skips all other
attempts to contact that node using other rules. This reduces the time required to complete the
task. TE will also apply a Connection Error tag to the node in Health Check to reflect the fact that
it was unreachable. Once the connection issue is resolved, baseline or version check operations
on the node will resume normally.
Troubleshooting assistance during installation or migration. If you encounter problems while
installing or updating Tripwire Enterprise Console, a new error console displays database
settings and detailed error information to help you to troubleshoot the problem.
13 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3 GETTING STARTED
3.1 Installing Tripwire Enterprise
For instructions on installing TE, please see the Tripwire Enterprise 8.3 Installation & Maintenance Guide.
3.2 Accessing the Console
Once TE has been installed, you can access the Console by navigating to the IP address or hostname of
the Console Server (over HTTPS) in a supported browser:
https://<TE Console Server hostname>
https://<IP address of the TE Console Server>
The following are examples of valid methods to access the Console:
https://tripwire
https://tripwire.domain.com
https://192.168.1.100
14 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3.3 Fast Track
You will encounter Fast Track the first time you access the Console post-installation. Fast Track will
dramatically speed up the time it takes to configure TE. You will be presented with a questionnaire that
Fast Track will use to install and configure the selected components. Fast Track is a one-time
configuration tool. You will not be able to access it again once you have completed the process.
1. Click the “Configure Tripwire Enterprise” button to begin.
2. Click the “Browse” button, navigate to the location of your TE license file (which should have a
.cert file extension), and select it.
15 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3. Select your desired solutions and policies.
4. Specify the platforms you would like to monitor. Platforms that you are licensed for are
highlighted in the “Available Platforms” pane (left side). Platforms you select from the “Available
Platforms” list will appear in the “Selected Platforms” pane (right side).
16 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5. Using the dropdown controls, adjust the task schedules to meet your business needs. Fast Track
allows you to schedule tasks in one hour intervals. If you require greater granularity in your task
scheduling, you can adjust these times through the Task Manager after you complete Fast Track.
17 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
6. Configure your email server by filling in the appropriate SMTP host details and desired sender
email address. If your email server requires authentication, select the checkbox and enter the
additional account information. Use the “Test the connection” box to test your configured
settings. The results of the test will be displayed in the “Connection Results” textbox. If you
would rather configure your email server at a later time (in the Settings Manager), select the
second radio button.
7. Create an Administrator account. This user will be granted full permissions. Additionally, be
mindful of the password policy when creating the user’s policy. If desired, this password policy
can be adjusted later through the server.properties file.
18 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
8. Click the “Preview Configuration” button to review your selected configuration. The Fast Track
Manifest will list which items will be applied to your configuration and which are not supported
(due to unique platform/monitoring configuration combinations you may have selected). It is
recommended that you save the Fast Track Manifest for later review. To do so, either save the
web page, or copy and paste the contents to a text editor like Notepad and save the result.
9. While reviewing the Fast Track Manifest, if you determine a correction is needed, click on the
“Edit Configuration” button. Once you are satisfied with the configuration, click “Apply
Configuration”. Do not forget to save the Manifest if you desire.
10. Fast Track will now configure TE according to your specifications. You can track the progress on
the next page. When Fast Track completes, it will state “Finished!”
19 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
11. Click the “Continue to Tripwire Enterprise” button to be redirected to the Console login page.
You can now log in with the admin user account you created during Fast Track.
20 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3.4 Logging In to the Console
When accessing the Console, you will be presented with a login page. This page will prompt you for a
username and password, which should have been supplied to you by the Tripwire Administrator. If
Active Directory/LDAP authentication has been configured, then your username and password are your
network/domain credentials. Once you have entered your username and password, click the “Sign In”
button.
NOTE: TE displays times and dates in American English format by default. To display times and dates in a
different locale, change the Locale setting when you log into the software. Changing the locale setting
does not provide localization support (translate the text to a different language).
21 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3.5 Change Your User Password
There will be times when it is necessary to change your user password. If your Tripwire Administrator
initially provided you with your username and password, you will want to change your password after
logging in to the Console for the first time.
1. Ensure your implementation of TE is not using Active Directory/LDAP authentication (otherwise
changing your password through TE will have no effect). If you aren’t sure, check with your
Tripwire Administrator.
2. Log in to the Console and navigate to any manager except the Home Manager.
3. Click on your username in the lower-right of the page (right side of the Status bar).
4. On the resulting user account dialog window, select the “Password” tab.
5. Enter your existing (current) password in the “Current password” field. Enter your desired new
password in the “New password” field and again in the “Confirm” field.
6. Click “OK” to save your changes and close the dialog window.
22 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3.6 Setting User Preferences
Upon logging in to the Console, you will be viewing the Home Page Manager by default. You may change
this default log in behavior as well as a myriad of other user-specific preferences on the Settings
Manager > User > Preferences page. Commonly adjusted settings include the “Always login to Home
Page”, “Display exact table count”, “Table page size”, and “Max version display” preferences. Keep in
mind that these preferences control the behavior and display settings of the Console Interface for only
your user. Detailed descriptions of each setting can be found in the contextual help link within the
Interface Toolbar.
NOTE: Use caution when enabling the “Display exact table count” preference as this will force TE to
retrieve all applicable objects from the database for any query you perform (instead of loading the
objects in batches of 5000). For queries involving a large number of objects, you will likely see a
performance impact with this preference enabled (and very likely a delay before the page completely
loads).
In certain circumstances, it can be beneficial to adjust the contextual difference settings. These settings
are found on the Settings Manager > User > Differences page. These settings control the use of context
lines when you compare two element versions in the Difference Viewer.
23 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3.7 Check the Version of Tripwire Enterprise
There are certain situations in which it is helpful to know the specific version of TE you are currently
running. Thankfully it is very simple to check the version.
1. After logging into the Console, click on the TE logo in the upper-left corner.
NOTE: You will need to make sure you have disabled your pop-up blocker and/or whitelisted the TE
Console web application.
2. In the resulting pop-up window, you will clearly see the version string. The major and minor
version numbers comprise the first three integers in the version string. In the following
screenshot, TE is running at version 8.3.3.
3. When you are finished, close the window.
24 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4 USING ASSET VIEW
You can view and manage your assets (nodes) based upon the tags assigned to them in the Asset View tab. Asset View is accessed from a separate tab of the Node Manager. The Asset View tab consists of three main components:
The left pane is the Asset Filter, where you can apply filters to change the assets displayed in the Asset List.
The middle pane is the Asset List, which displays assets that match the criteria in the Asset Filter pane. You can examine the properties of the assets displayed here, or add them to the current section.
The right pane is the Selection Information pane, which displays assets that are currently selected. In this pane, you can also open the Tags Drawer to assign tags to assets or change the tags that are currently assigned.
Each object in the Nodes tab of the Node Manager is represented by an asset in the Asset View tab. Using tags allows you to manage your assets more efficiently with fewer resources. Tags enable you to organize, view, and control assets using whatever criteria are most important to you—for example: business unit, operating system, policy, risk, owner, or applications installed. Since tags and filters are easy to change, you can quickly reconfigure and reorganize your assets as your business evolves.
25 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4.1 Tagging Best Practices
Before you begin working with tags and tag sets, it is a good idea to identify some key attributes or distinctions that you can use as a starting point to classify your assets. Use the following best practices to help identify beneficial distinctions you can make.
4.1.1 Guidelines for Using Tags
Start small. Do not try to lay out your entire tag-based classification before you start applying
tags. Choose a tag and apply it appropriately. See what you learned there, and then move on.
You are going to see value in doing even a little bit of tagging, and you should feel free to iterate
on your tagging at your own pace.
Tags and tag sets should represent a single group or type. Do not join concepts with “and” or
“or” in a single tag or tag set. For example, avoid creating tags like
Location:Seattle&Portland or Application&Role:Exchange Server. Instead,
create Location:Seattle and Location:Portland. You can easily combine these tags
while filtering if you do want to see assets that are either in Seattle or Portland, but it may be
hard to make that distinction later if you report on a single combined tag.
All tags should have semantic value in themselves. Tags should mean something when read,
even out of context. When creating tags, consider how they might appear on a report. Avoid
tags like Risk:2 or Vulnerability:3 and instead use Risk:Medium or
Vulnerability:Low.
Use tagging profiles to automate the tagging process. If you can tell programmatically what tag
should be applied for a given situation, create a tagging profile to apply it automatically. Tagging
profiles will take much of the work out of applying tags, and ensure that you are up to date as
new assets come online.
Use affirmative tags whenever possible. Instead of creating tags like Policy:Not PCI, use
the default Untagged tag to reflect the absence of a state. In some cases, it may be useful to
have a tag like Location:Unknown, however.
Avoid abbreviations. Avoid tags like Server Role:DC and instead spell out Server
Role:Domain Controller. When working with a single group or type, there is almost
always room to write it out completely.
Avoid creating more than 2000 tags. Asset View currently performs best with 2000 or fewer
tags, and will become less responsive as you approach and exceed the 2000 tag mark.
4.1.2 Tagging Tips and Tricks
Viewing the intersection between two or more tags from the same tag set. To see assets that
have the tags Business Unit:Commercial and Business Unit:Sales, filter in
Asset View using one of the tags and then type the other tag in as a keyword search. You will
always get the intersection between a tag and a keyword.
26 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
To add a third tag, save the previous tag and keyword combination as a saved filter and use that
saved filter to filter assets. Then type in a third tag as a keyword search. You will always see the
intersection between a tag and a saved filter, even if the tags in the saved filter come from the
same tag set as the individual tag.
Use the counts in the filter pane to provide additional context to any tag selection. As soon as
you filter by a tag, all of the other tag counts update. That means that you only have to look at
the counts next to the other tags to see how they relate to your selected tag.
For example, if you click on Priority:Critical and then look in the Owner tag set, you
will immediately know which owners have critical assets, just by looking at the counts. The only
caveat here is that tag counts will not provide interaction information for tags within the same
tag set.
Use saved filters in Asset View as a shortcut for tag combinations that you filter on frequently.
Saved filters enable you to combine combinations of tags to schedule checks, filter reports, etc.
However, you can also use saved filters in the Asset View tab to quickly view assets that you are
interested in. For example, you could quickly identify all of the high priority assets in Portland
that are in scope for PCI by creating a saved filter with Priority:High,
Location:Portland, and Policy:PCI tags specified.
4.1.3 Tagging Strategies
With tags, you can organize your assets any way you want to, but the strategies in this section show some of the patterns that have worked well so far.
Tag for policies: this is typically based on operating system information and role.
Tag for check rule tasks: this is frequently done based on location and/or business unit, but it
depends on how you segment your assets to time their checks.
Tag for reports: this will include tags like Priority and Owner, but it can include a many more.
These tags give context to the results of your reports.
Tag for asset management: this can include tags like Priority and temporary tags like
Status:Decommissioned or Status:New. You can use these tags when you need to
work on an asset.
27 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4.2 Filtering Assets
The first time you load Asset View, there will be no filters applied and you will see all of your assets displayed in the Asset List (middle pane). You can filter your assets using the Asset Filter (left pane):
Filter assets using keywords: you can enter one or more strings into the keyword search field at
the top of the pane and TE will display any asset that contains the search string in its name, IP
address(es), or associated tags.
Filter assets using the tags assigned to them: expand either Tag Sets, System Tag Sets, or
Operational tag Sets and select one or more tags.
Filter assets using Saved Filters: expand Saved Filters and select one or more saved filters.
NOTE: When multiple filter criteria are specified, TE interprets criteria in the same tag set or saved filter using a logical OR operator. Criteria from different tag sets or saved filters are interpreted using an AND
operator. For example, if you select Location:Portland, Location:Seattle, and Owner:Bob, the Asset List displays all assets that Bob owns and that are in either Portland or Seattle. Any filters that have been applied will be listed at the top of the Asset Filter pane. You can clear individual filters by clicking on the “X” next to the item, or you can click the “Clear all” button to clear all filters. TIP: You can save your current combination of filters by clicking on the “Save current filter” button at the top of the Asset Filter pane.
28 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4.3 Viewing and Selecting Assets
To view the properties of an asset:
1. (Optional) Use the Asset Filter to refine the list of assets in the Asset List.
2. Click on the asset in the Asset List (do not select the checkbox). The asset’s properties are
displayed in the Selection Information pane. If there are any errors associated with the asset,
they will appear near the bottom of the Selection Information pane as well.
To select an asset:
1. (Optional) Use the Asset Filter to refine the list of assets in the Asset List.
2. Mark the checkbox adjacent to an asset in the Asset List. Alternatively, you could use the “All” or
“None” buttons near the top of the Asset List to select all or none of the assets, respectively. As
you select each asset, it is listed in the Selection Information pane. If you want to remove an
asset from the current selection, click on the “X” next to it. To remove all assets from the
current selection, click on the “Clear” button at the top of the Selection Information pane to
clear all selected assets.
29 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4.4 Manually Applying Tags to Assets
1. (Optional) Use the Asset Filter to refine the list of assets in the Asset List.
2. In the Asset List, select any assets whose tags you want to edit.
3. Click Edit Tags in the Selection Information pane to open the Tags Drawer.
4. In the Tags Drawer, expand and select or clear the tags that are applied to the asset(s). A
marked checkbox means the tag is applied to all of the selected assets. An empty checkbox
means the tag is not applied to any of the selected assets. A filled checkbox means the tag is
applied to some of the selected assets.
5. Click Close to apply your changes and close the Tags Drawer.
30 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4.5 Working with Tags and Tag Sets
Tags are descriptors that you can create and assign to your assets. You can assign as many tags to an asset as you like and you can always rename or delete the tags later (except for system or operational tag sets). Tags are organized using Tag Sets, which group a set of related tags. For example, a tag set named Location could include the tags Portland, Chicago, and New York. These tags would be represented in TE as Location:Portland, Location:Chicago, and Location:New York. Tripwire Enterprise includes a number of System Tag Sets, pre-defined tag sets that organize your assets based on operating system, device type, or other criteria. These tags are automatically assigned to assets when you add them to TE. You can't edit or delete system tag sets or apply them to assets. You will also see Operational Tag Sets, which help you manage the health of your assets by identifying errors. Operational tags are automatically applied to assets when an error is encountered. Assets are untagged automatically when the cause of the error is resolved for all tags except for the
Uncategorized Errors tag. In those cases, it is necessary to manually dismiss Uncategorized Errors for the tag to be removed. In general, you are able to manually dismiss any of the errors at any time. Asset View allows you to create user-defined tags and tag sets to organize and characterize your assets, giving you flexibility and control to place your assets into logical groups. For each tag and tag set you create, a corresponding smart node group will be created in the Nodes tab. As soon as an asset is assigned a tag, it will automatically be placed in the tag’s corresponding smart node group. You can use this smart node group to view nodes, scope tasks, scope policies, and much more, just as you can with a regular node group. You have full control over user-defined tags and tag sets, so you can add, remove, and edit them as necessary. To manage tags and tag sets:
1. Navigate to the Nodes Manager and select the Asset View tab.
2. Click on Manage Tagging in the upper left corner.
3. In the left pane of the resulting window, select Tag Sets.
a. To add a tag set: enter a name for the new tag set and click Add.
b. To rename a tag set: click the set’s name, then edit it and click Enter.
c. To delete a tag set: click on the “X” adjacent to the tag set. Review the system objects
associated with the tag set and then click Yes to confirm deletion.
4. To manage the tags in a tag set, expand the desired tag set to view the tags it contains.
a. To add a tag: enter a name for the new tag and click Add.
b. To rename a tag: click the tag’s name, then edit it and click Enter.
c. To delete a tag: click on the “X” adjacent to the tag. Review the system objects
associated with the tag and then click Yes to confirm deletion.
5. Click Filter Assets to return to the main Asset View page.
31 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4.6 Working with Saved Filters
Saved filters are defined collections of tags that you can use to classify sets of assets. For example, you could create a saved filter named “Portland Win2K3 PCI” that includes any asset with the following combination of tags:
Location:Portland
Operating System:Windows 2003 Server
Policy:PCI
To manage saved filters:
1. Navigate to the Nodes Manager and select the Asset View tab.
2. Click on Manage Tagging in the upper left corner.
3. In the left pane of the resulting window, select Saved Filters.
a. To add a saved filter:
i. Click New Saved Filter.
ii. Enter a name for the new saved filter.
iii. (Optional) specify a keyword and/or tags that the filter will use to select assets.
iv. Click Save to create the new saved filter.
b. To edit an existing saved filter: select the saved filter and click Edit Saved Filter.
c. To delete a saved filter: select the saved filter and click Delete Saved Filter. Review the
system objects associated with the saved filter and then click Yes to confirm deletion.
4. Click Filter Assets to return to the main Asset View page.
32 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4.7 Working with Tagging Profiles
Tagging profiles allow you to configure TE to apply additional tags to assets with specific characteristics. For example, you could create a profile to assign the tag Owner:Windows Admin to all Windows assets. Or you could assign Dept:Finance to all assets with "finance" in their hostname that are also within a specific IP address range. Tagging profiles enable you to apply tags to a large number of assets quickly and precisely, and to ensure that new assets are tagged properly. Tagging profiles can apply tags automatically when new assets are added to TE, or you can run them manually to quickly apply tags to existing assets in TE. To manage tagging profiles:
1. Navigate to the Nodes Manager and select the Asset View tab.
2. Click on Manage Tagging in the upper left corner.
3. In the left pane of the resulting window, select Tagging Profiles.
a. To add a tagging profile:
i. Click New profile.
ii. Enter a name for the new tagging profile.
iii. Specify whether you will run the profile manually or automatically.
iv. In the Choose Conditions section, specify the conditions the profile will use to
select assets.
v. In the Choose Tags to Apply section, specify the tags that the profile will assign
to the selected assets.
vi. Click Save to create the new profile. If you chose to run the profile
automatically, TE will run the profile immediately.
b. To manually run an existing tagging profile: select the profile and click Run Profile
Now.
c. To edit an existing tagging profile: select the profile and click Edit Profile.
d. To delete a tagging profile: select the profile and click Delete Profile.
4. Click Filter Assets to return to the main Asset View page.
TIP: In the Choose Conditions section, you can use the “Matches” and “Does Not Match” selectors to select assets using regular expressions. The “Contains” and “Dos Not Contain” selectors use case-insensitive matching. TIP: In the Choose Conditions section, you can use the match “All” or “Any” dropdown at the top to
determine if your multiple conditions should be evaluated with an “AND” or “OR” operator,
respectively.
33 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5 STANDARD OPERATIONS
5.1 Create a Group
Each of the managers (excluding the Home Page, Log, and Settings Managers) use groups to organize
objects. Each manager has its own group object(s):
Manager Group Object(s)
Node Node Group
Smart Node Group
Rule Rule Group
Action Action Group
Task Task Group
Policy Policy Test Group
Report Report Group
You are able to create groups within the “Root Group” of each manager or within other groups (also
called “sub-groups”). The Node Manager is unique in that it has two types of groups: node groups and
smart node groups.
The process of creating groups is the same for each of these managers:
1. Select the location you would like to create the new group within (either the “Root Group” or
another group).
2. Click on the New Group button under the Manage button set on the button bar.
3. Specify a group name and (optional) description in the resulting dialog window.
4. Click Finish to create the group.
34 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.1.1 Node Groups
Node groups (also called “classic” node groups) are primarily a legacy feature. They are static groups
designed to hold a group of nodes that have been manually placed in this group. You are also able to
create groups inside of an existing classic node group. Classic node groups are identified by a folder icon
in the Tree Pane of the Nodes Manager.
5.1.2 Smart Node Groups
Smart node groups, conversely, are dynamic groups whose “children” nodes are automatically
populated based upon specific properties or user defined profiles configured in Asset View. Smart node
groups are identified by a lightbulb icon in the Tree Pane of the Nodes Manager.
Users are unable to create smart node groups as these groups are managed through Asset View. Using
Asset View is the only way to create, delete, or rename these smart node groups. Creating a new tag or
tag set in Asset View, for example, would create a corresponding smart node group in the Node
35 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
Manager. This means you are unable to create groups inside of a smart node group, and move, link, or
import smart node groups.
36 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.2 Create an Object
Each of the managers (excluding the Home Page, Log, and Settings Managers) control and manage
specific objects. Each manager has its own object(s) which can have different types:
Manager Object
Node Node
Rule Rule
Action Action
Task Task
Policy Policy Test
Policy
Report Report
Dashboard
You are able to create objects within the “Root Group” of each manager or within other groups. The
Policy and Report Managers are unique in that they each have two types of objects that they manage. In
the Policy Manager you can create both policy tests and policies. In the Report Manager you can create
both reports and dashboards.
The process of creating new objects is essentially the same for each of these managers:
1. Navigate to the desired manager for the object you would like to create.
2. Select the location you would like to create the new group within (either the “Root Group” or
another group).
3. Click on the New <Object Name> button under the Manage button set on the button bar (where
“<object name>” is one of the objects from the above table).
4. (If applicable) Select the type of object to create in the resulting dialog window.
5. Complete the New <Object Name> Wizard with your desired settings.
6. Click Finish to create the node.
37 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.2.1 Create a Rule
To create a rule, follow the same process explained above for creating new objects, but do so within the
Rule Manager. Below are some helpful tips to consider when creating rules:
Place newly created rules within a meaningful group structure as you will need to scope check
tasks to these groups, among other operations.
After selecting the type of rule to create, you will have an opportunity to provide a name and
description for the rule. You will also notice a checkbox called “Enable Tracking Identifier”. Keep
this checkbox selected if you would like the rule to have a unique identifier to track it between
different TE installations or import/export processes. In most cases, you will want to keep this
checkbox selected.
For certain rule types (such file system rules), you will need to specify start and/or stop points
for the rule. You will also see a “Browse” button that you can use to browse the file system of an
Agent host.
38 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
To do so you will need to click the “Select Node” button and navigate to the host you would like
to browse. Then click OK.
39 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
Browse the file system until you identify a location/path you would like to create a start or stop
point for. Your selection will appear in the “Selected path” field. Click the New Start Point or
New Stop Point buttons, respectively. Then complete the start/stop point wizard with your
desired settings.
Start Point Tips
o It is far better to have a start point that you have “drilled down” to (start small) and
then modify the start point or rule later than it is to start at the top of a file path tree. If
you do the latter, you may end up with hundreds of thousands of elements that are not
critical to the execution of the application or system you are monitoring. You must then
pare down the start point or rule and then find and delete all the elements that will no
longer be monitored. Otherwise these elements become “orphans” that uselessly
clutter your database and result in audit event error messages in your Log Manager.
o Reset the “Default Severity” level from the default of 10000 to a level that either reflects
the criticality of changes to this element or matches with a defined severity range you
have. Doing the latter allows you to generate reports that target a specific severity
range and only include changes from the corresponding rules with that severity level.
o Do not set a default severity of zero. Changes to elements associated to a rule with a
severity of zero will never reflect a change. New element versions will still be collected,
however, contributing to unpromoted changes to that element.
o Mark the “Archive element content” checkbox if the file or files in the directory path of
the start point are primarily test files or you have a specific need to monitor the content
40 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
of text files in the path. Otherwise, leave it blank. TE will not archive the content of
binary or encrypted files. Use caution if you have a directory that contains a large
number of text files as monitoring such a path can consume a lot of database space,
especially if the file content changes frequently.
o Keep the “Recurse directory” checkbox selected unless the start point is for a specific
file versus an entire directory.
o Change the “Limit depth to” field to a value other than zero only if you want to limit the
depth of your recursive monitoring. (A value of zero instructs TE to monitor from the
start point path to the bottom of the path’s directory structure.) For example, if you
want to monitor files one level down from a start point path, change the value to 1.
o When selecting your criteria set, keep in mind that “content” refers to monitoring
content hashes and/or file size. It does not archive the file content as the previously
mentioned “archive element content” option does. If none of the built-in criteria sets
meets your needs, you can create a new one. To simplify the process, you can also
create a new criteria set based upon an existing one. Simply use the “New from
Selected” button. You can click on any of the pre-defined criteria to see what actual
attribute data a given set captures. Leaving “package data” collection unchecked in a
new (or existing) criteria set will cause TE to “skip” any locked attributes silently instead
of reporting an inability to capture information when another process has an exclusive
lock on the file.
41 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
o You can use the include or exclude filters to have more granular control over which files
TE will monitor in a particular start point. Element filters apply to the full recursion
depth specified in the start point. Configuring an include filter will cause TE to only
monitor files that match the filter. Everything else will be excluded. Configuring an
exclude filter will cause TE to monitor all files in the start point path except for those
that match the filter. If you want to only monitor directories, use an exclude filter of “*”
to match all files.
Use stop points to exclude monitoring of and stop recursion of specific paths. You can also use
stop points to exclude monitoring of a specific file. Common paths to be excluded include data
or log directories.
42 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.2.2 Create a Task
To create a task, follow the same process explained above for creating new objects, but do so within the
Task Manager. Below are some helpful tips to consider when creating tasks:
Completing the Fast Track process will generate many initial tasks for you. However, you will
often need to adjust the imported tasks or add more to have greater granularity and control
over the configuration.
When naming tasks, it is best practice to be as descriptive as possible. A great strategy is to
include the type of task followed by the scheduled frequency, scoped nodes, and scoped rules.
An example is “OS - Daily - Windows 2008 R2 Node(s) with Windows 2008 R2 Change Audit
Rules”.
You can create a baseline check task to automate the baseline process, but it is often more
helpful to simply use a check task to perform the initial baseline operation. When you create a
new check task, the final page of the wizard will provide you with an opportunity to “initialize
baselines” upon creation of the check task. Furthermore, you can select a given check task and
click on the Baseline button from the button bar.
43 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
The “Run as user” field determines which user context the task is run in. If a user has restricted
access to nodes and/or rules, this can cause the task to fail. It is recommended that tasks are
created by a user with the “Administrator” role so the task can run as the “system” user.
It is best practice to always set timeouts for check tasks. This ensures that the check task will be
stopped if the operation is taking too long. Set a timeout for the shortest time you feel
comfortable with (usually 1 hour is sufficient). As more nodes are added (or if you notice a check
task has timed out), you can extend the timeout value.
When scoping tasks to node and rule groups, be sure that you are selecting the correct node
group for the rules you plan to run the task against. If there is a mismatch, you run the risk of
checking incorrect elements against nodes or not getting report results you export.
When configuring the check interval, “daily” means every day of the week whereas “weekly”
allows you to select which days in a week to execute the task. In situations where maintenance
windows or backup schedules come into play, using weekly will provide you with greater
flexibility.
44 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
Keep in mind that tasks run according to the time of the TE Console server. If the target node or
node group is in another time zone, you should take this into consideration when selecting the
task run time(s).
Be sure to apply appropriate actions to the task. Commonly applied actions (or action groups)
include BAU promotion workflows, alert actions (like email or syslog actions), or run report
actions. Keep in mind you can apply more than one action to a task.
5.2.3 Create an Action
To create an action, follow the same process explained above for creating new objects, but do so within
the Action Manager. Below are some helpful tips to consider when creating actions:
Actions will only execute in response to an element change. Keep that in mind when creating
and using them.
Use the true and false settings of conditional actions to create a sophisticated action workflow.
When multiple actions are located in a group, the ordinal value determines the order they are
executed in. Mark the checkbox of an action in a group and use the “Move Ahead” and “Move
Back” buttons to adjust its placement in the order.
Actions can be applied to rules and/or tasks, giving you flexibility to execute actions for different
situations.
5.2.4 Create a Report
To create a report, follow the same process explained above for creating new objects, but do so within
the Rule Manager. Below are some helpful tips to consider when creating reports:
It is recommended that you use a specific report group for storing reports that you create or run
on an irregular basis (such as “one-off” reports). You can create your own group(s) or use the
“Ad-hoc” group.
45 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
When creating reports, you will use the Criteria tab of the report’s property editor to configure
specific parameters for the report. You can choose to report on specific rules, nodes, versions,
and many other options. The parameters available depend upon the report type you choose.
Reports offer the ability to link to other reports. This allows you to have a higher-level, summary
report with interactive (clickable) links that then generate more detailed reports. By default you
should have “drill down” report templates installed. When creating new reports, simply link to
these “drill down” report templates using the “Links” section of the Criteria tab of a reports
property editor. Alternatively, you can create your own report templates to link to. You can
select a single report or group for each available report link. If you select a group, the user will
be presented with a dialog from which to choose the linked report they would like to run.
After running a report, you can choose to export, email, or even archive the report as a means
to “save” the report. Archiving the report will store the results in the TE back-end database.
Simply click the “Archive Report” button. Keep in mind that exporting, emailing, or archiving
reports will not include any linking or “drill down” functionality.
For timely attention to changes detected or compliance results, it is recommended that you
create scheduled reports. Create and organize your reports according to the type of report
46 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
(change audit versus compliance, for example) and frequency (daily, weekly, monthly, quarterly,
ad-hoc, etc.). Then create a report task in the Task Manager and select the corresponding
report.
47 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.3 Move an Object
Each of the managers (excluding the Home Page, Log, and Settings Managers) control and manage
specific objects. Once an object exists in a manager, you are able to move the object to a different
group to keep things organized.
NOTE: You can only move objects into either the “Root Group” or other standard groups. For example,
you cannot move a node object into a smart node group as smart node groups are managed using Asset
View.
The process of moving objects is essentially the same for each of these managers:
1. Select the parent group of the object you would like to move in the Tree Pane.
2. Select the checkbox that corresponds to the object you would like to move in the Main Pane.
3. Click on the Move button under the Manage button set on the button bar.
4. In the resulting dialog window select the group you intend to move the object into. The group
name will appear in the Destination field.
5. Click OK to move the object.
48 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.4 Link/Unlink an Object
Each of the managers (excluding the Home Page, Log, and Settings Managers) control and manage
specific objects. Objects can exist in one group or many. When objects are located in many groups, they
are said to be “linked” in multiple locations. In other words, a single object is referenced in several
groups. If you were to edit this object in one location, your changes would be reflected across the other
references to this object.
NOTE: The process of moving an object is similar to linking. When an object is moved, a link to the
object is created at the new location and the link at the old location is deleted.
NOTE: You can only link objects into either the “Root Group” or other standard groups. For example,
you cannot link a node object into a smart node group as smart node groups are managed using Asset
View.
The process of linking objects is essentially the same for each of these managers:
1. Select the parent group of the object you would like to link in the Tree Pane.
2. Select the checkbox that corresponds to the object you would like to link in the Main Pane.
3. Click on the Link button under the Manage button set on the button bar.
4. In the resulting dialog window select the group you intend to link the object to. The group name
will appear in the Destination field.
5. Click OK to link the object.
The process of unlinking objects is nearly identical to linking them:
1. Select the parent group of the object you would like to unlink in the Tree Pane.
2. Select the checkbox that corresponds to the object you would like to unlink in the Main Pane.
3. Click on the Unlink button under the Manage button set on the button bar.
4. In the resulting dialog window select the group you intend to unlink the object to. The group
name will appear in the Destination field.
5. Click OK to unlink the object.
If you unlink an object from all of its linked locations, the object will be moved to the special Unlinked
group of the current manager. See Delete an Object for more information.
49 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.4.1 Link a Node
To link a node, follow the same process explained above for linking objects, but do so within the Node
Manager. Linking nodes is primarily a legacy operation as using smart node groups is the default feature.
Use Asset View to organize your nodes and tag them appropriately. Doing so will create new smart node
groups that will automatically link nodes as they are tagged and placed in your configured tag sets.
50 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.5 Delete an Object
Each of the managers (excluding the Home Page, Log, and Settings Managers) control and manage
specific objects. Just like you can create objects, you can also delete them. Deleting objects purges
them from the database.
NOTE: The process of deleting an object is similar to unlinking. When an object is deleted, all links to the
object are removed.
There are slight differences between deleting groups and deleting objects. If you delete a group, all
descendant objects (the “children”) will be placed in the special Unlinked group of the current manager.
Think of the Unlinked group as analogous to an operating system’s trash or recycle bin. The objects in
the Unlinked group will remain in this special group until the Clear Unlinked Groups task runs, which
may be started at the time of deletion. Regardless, as soon as this maintenance task starts the objects
will be purged from the database irreparably. If you delete an object, it will be purged from database
irreparably at that time of deletion.
NOTE: If you delete an object from the Unlinked group, it will be purged from the database irreparably
at that time of deletion.
The process of deleting objects is essentially the same for each of these managers:
1. Select the parent group of the object you would like to delete in the Tree Pane.
2. Select the checkbox that corresponds to the object you would like to delete in the Main Pane.
3. Click on the Delete button under the Manage button set on the button bar.
4. In the resulting dialog window you may choose to run the Clear Unlinked Groups task or not.
5. Click OK to delete the object.
5.5.1 Delete a Node
If the data pertaining to the node is not required for future audits or historical purposes, you may simply
delete it. Follow the process below to remove a node:
1. If you are deleting a file system node, you will want to have a system administrator uninstall the
TE Agent installed on that system. Otherwise future restarts of the Agent service will recreate
the node in the Console.
2. If desired, the system administrator can delete the installation path for the Agent after
uninstalling it (by default there are certain configuration files left behind in case the Agent
uninstallation was a mistake).
3. Once you are ready to delete the node, follow the same steps explained above for deleting
objects.
51 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
NOTE: Deleting a node will remove all licenses assigned to it. Additionally, certain objects, such as tasks
or actions, associated to the node will be deleted along with the node.
52 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.6 Import/Export an Object
Each of the managers (excluding the Home Page, Log, and Settings Managers) control and manage
specific objects. TE provides a feature an import and export feature for each of these objects. This
allows previously configured objects to be exported as is or imported to create identically copies to the
original configuration. Importing/exporting are beneficial to create backups of managers, aid in the
management of content between multiple Consoles, and also to provide a mechanism to upgrade TE
content as Tripwire publishes updates.
The process of exporting objects is the same for each of these managers:
1. Select the parent group of the object you would like to export in the Tree Pane.
2. Select the checkbox that corresponds to the object you would like to export in the Main Pane.
3. Click on the Export button under the Manage button set on the button bar.
4. In the resulting dialog window, choose to export “All nodes and node groups” or “Selected
nodes and node groups only”. Choosing the latter will only export the objects you have selected
from the Main Pane.
5. Click OK to export the object.
6. Save the resulting XML file.
The process of importing objects is the same for each of these managers:
1. Select the parent group in which you would like to import new objects from the Tree Pane.
2. Click on the Import button under the Manage button set on the button bar.
3. In the resulting dialog window, click the “Browse” button and navigate to the location of the
import XML file.
4. Click OK to import the new object(s).
NOTE: Upon import, TE will attempt to link existing objects to new objects using the following criteria:
Using the unique tracking ID of the object
By matching objects of the same name (and type)
NOTE: When importing content published by Tripwire, always import into the “Root Group” of the
manager. Otherwise you end up creating duplicate groups in alternate locations which creates
unnecessary links and complicates future imports.
TIP: When importing updated rules/policies published by Tripwire, it is best practice to update all of
your rules and policies at the same time.
53 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
NOTE: When importing policies, you must import the policy rules into the Rule Manager first before
importing policies into the Policy Manager.
NOTE: When importing content published by Tripwire, any custom modifications you have made to
Tripwire published rules will be overwritten by the newly imported content.
NOTE: If you attempt to import the wrong import file into a manager, you will receive an error.
54 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.7 Baseline a Node
Beginning with TE version 8.1, creating an initial baseline of a node is now an unnecessary step. TE will
automatically generate baseline element versions for any rule running against a node that has not been
previously baselined. However, there may be some instances in which you wish to baseline a node
outside of the first check.
1. Select the parent group of the node you would like to baseline in the Tree Pane.
2. Select the checkbox that corresponds to the node you would like to baseline in the Main Pane.
3. Click on the Baseline button under the Control button set on the button bar.
4. In the resulting dialog window:
5. (Not available to nodes with 0 elements) Select the first “Baseline” radio button to baseline the
node with all currently baselined rules (essentially re-baselining the node, depending upon the
selection in steps c/d below).
6. Select the second “Baseline” radio button to baseline the node with a specific rule or rule group.
Navigate to your desired rule or rule group and click it from the dialog window Tree Pane. Your
current selection will appear in the “Rule” field.
7. Select the first “Create baselines for” radio button to only create baselines for rules that have
not been previously baselined.
8. Select the second “Create baselines for” radio button to create baselines for all rules selected
above (this may result in some elements being re-baselined as well as baselining new rules).
55 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9. Click OK to baseline the node.
Once a node has been baselined, it should only be checked from then on. The exceptions to this are if
you have modified any of the rules previously baselined against it (such as by importing an updated
rule), or if you have created a new rule that you would like to baseline against the node.
56 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.8 Check a Node
Performing a check of a node is the heart of TE’s monitoring. TE uses checks to assess if a monitored
element has changed in any fashion. The best approach to configuring checks is to use scheduled check
tasks. However, there may be times when you have a need to manually check a node. For example, you
may want to run a manual check to have the latest possible version of a monitored element, or you have
want to gather any audit events held in the Agent’s queue (for nodes that support the TE Event
Generator).
1. Select the parent group of the node you would like to check in the Tree Pane.
2. Select the checkbox that corresponds to the node you would like to check in the Main Pane.
3. Click on the Check button under the Control button set on the button bar.
4. In the resulting dialog window:
5. (Not available to nodes with 0 elements) Select the first “Perform check on” radio button to
check the node with all currently baselined rules.
6. Select the second “Perform check on” radio button to check the node with a specific rule or rule
group. Navigate to your desired rule or rule group and click it from the dialog window Tree
Pane. Your current selection will appear in the “Rule” field.
7. Click OK to check the node.
57 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.9 Viewing Changes
When TE detects a change to a monitored element, a visual indicator called the severity indicator
appears on the node icon. This indicator takes the form of a colored dot. The color is configured on the
Settings Manager > System > Severity Ranges page. To view the specific element with changes:
1. Navigate to the rule associated with the element in the Tree Pane. You can do so by expanding
the node and/or rule groups with the same colored severity indicator.
2. Select the rule resulting from step 1 in the Tree Pane.
3. Elements will changes should appear at the top of the Main Pane by default. They will have a
colored plus, minus, or exclamation point symbol on the element icon. The Main Pane will show
you the element name, current version, and version type. If you do not see any elements with
changes, sort by the severity.
4. If you would like to compare the current version with the most recent baseline version, click on
the version type link. This will open the Difference Viewer in a new window.
The Difference Viewer compares the current element version with the most recent baseline element
version in a side-by-side view. Tabs at the top of the Difference Viewer allow you to switch between
comparing the element content (if available) and the monitored attributes. Differences are shown in
either: red (change/modification), green (insertion/addition) or blue (deletion).
58 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
59 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.10 Promoting Changes
A critical component of using TE is promoting changes. By default, TE assumes all changes are
unauthorized. When changes are detected, they are made available for viewing in the UI as well as
through reports and alerts. It is vital that you evaluate a change and determine if the change was
authorized or unauthorized. The act of promoting a change informs TE that the target change was an
authorized change. TE then takes the change version that has been promoted and uses it for the new
baseline version. Future checks will then look for differences between this new baseline version and
what is currently monitored.
To evaluate if a change is authorized or unauthorized, use these questions as guidance:
1. Is the change known, expected, and approved?
2. Is the change unexpected but still appropriate?
3. Is this a system or application induced change?
4. Is the change both unexpected and inappropriate?
Mature organizations will usually have a maintenance/change schedule during which change is expected
to occur. Even if they do not have defined change windows, mature organizations have strict change
management guidelines to provide visibility into and approval for any changes that occur. When change
management evaluates a change for impact and deems it approved, the change can then be scheduled
and implemented. Changes following this process should be promoted within TE.
There are times when changes may not have been approved by change management prior to
implementation, due to process negligence, or because they were not expected. If the change is
appropriate, it should be promoted within TE. An example would be the installation of a utility that
supports a critical business application. If the lack of a change request was due to process negligence,
this would be a good opportunity to educate personnel on the change management process.
However, if the change is not appropriate, it should not be promoted within TE. Examples include a
missing file or the presence of an unexpected file. Instead, the TE administrator along with application
and/or system administrators should investigate the change and revert the system to its previous
condition. Once the resolution has been detected as a new change by TE, then a promotion should be
performed to close the loop.
For changes that are unexpected but due to a system/application process, it would be wise to configure
a forensic or BAU action workflow to promote the change. Once that workflow is configured, it would be
necessary to promote the initial change.
To assist in the decision-making process, it is helpful to review what specifically was modified, added, or
removed from a monitored system. See Viewing Changes for more information on identifying and
60 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
viewing changes within the Console UI. When you are in the Node Manager or on the Elements tab of a
node’s Property Editor, the Version Type column will very clearly inform you of the type of change that
occurred for a given element. Use the Difference Viewer, element properties, and version information to
investigate the change.
Once you have concluded your investigation and decided a promotion is warranted, you are ready to
promote to the affected elements.
1. Navigate to the Node Manager.
2. You can either navigate to the affected elements within the Node Manager, from the Elements
tab of the node’s Property Editor, using the results of an Element Search, using the results of a
Version Search, or by switching to “Elements View” when looking at certain changed elements
reports.
3. Mark the checkbox next to each element or element version you would like to promote. Click on
the Promote button from the button bar (under the Control button set in the Node Manager).
4. In the resulting dialog window, you may see more than one promotion method available
depending upon the object you had selected. If you had selected an element version, however,
you should only see the “Promote selected versions” method. Select this method and click OK.
61 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5. In the resulting dialog window, select the “Custom” radio button if you want to manually specify
the promotion comment and approval identifier. If you have previously created a promotion
approval template, you can choose the “From template” radio button and select your desired
template.
6. Complete and/or edit the promotion comment and approval identifier fields. If you would like to
use your comment and approval identifier as a future approval template, click the “Save as
Template” button.
7. Click Next >.
62 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
8. Finally, unless you intend to use a “package” in your promotion action, click Finish. Your
selected elements/versions will now be promoted.
63 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5.11 Viewing Reports and Dashboards
Reports and dashboards can be viewed in several ways:
Click on the Run Report button next to a report or dashboard in the Report Manager or Reports
widget on the Home Page Manager.
Emailed either manually after running a report or through a report task.
Graphical reports configured within a dashboard can be viewed on the home page they were
added to once they have fully loaded. Clicking on the graph will load the full report for viewing.
64 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
NOTE: It can take dashboards some time to load and display. Keep this in mind when configuring the
scope of the dashboard reports.
65 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
6 NODE OPERATIONS
6.1 Onboarding Agent Nodes
6.1.1 With Smart Node Groups Enabled
Onboarding of new nodes is largely handled automatically by TE. With Smart Node Groups enabled, new
nodes are dynamically tagged with System Tags, organizing them by platform. When additional Tagging
Profiles have been configured, nodes can be automatically tagged using a variety of properties.
6.1.2 Without Smart Node Groups Enabled (Legacy Feature)
If Smart Node Groups are disabled, however, this automatic tagging does not occur. Newly installed
Agents create a new node that appears in the special “Discovered” node group of the Node Manager.
This node group is located underneath the Root Node Group and is one of the last items in the Tree
Pane.
It is necessary to move newly discovered nodes into a node group to appropriately configure them for
monitoring. Often these node groups organize nodes by platform and other properties. To do so, we’ll
use the standard operation to move the node(s):
1. Once a node has appeared in the Discovered node group, select the node’s checkbox and click
the Move button.
2. The following dialog window displays. Select the group you intend to move the node into. The
group name will appear in the Destination field.
66 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3. Click OK to move the node.
67 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
6.2 Event Generator and Enable Real-time Monitoring
The standard configuration of TE results in monitoring at regular intervals through the use of scheduled
check tasks. However, TE also supports a feature called “Real-time Monitoring” (RTM). As the name
implies, this feature provides notification of changes on a near real-time. This is accomplished by
hooking into the operating system’s kernel or audit system and looking for relevant changes to
monitored file system or registry objects. The added bonus of this feature is that TE has access to
additional information about the change, such as the username of the user responsible for the change
(“who” data).
When a TE Agent is installed, the default installation will also install a separate component, called the TE
Event Generator. This component is what performs the hook and generates the audit event information
for the Agent. When a change occurs, the Event Generator generates an audit event which is sent to the
Agent. If audit event collection is configured for a node, the Agent sends this audit event information
back to the Console when the next scheduled check task is run. If Real-time Monitoring is enabled,
however, the Agent will initiate a check against the changed object as soon as it receives the audit event
from the Event Generator. This results in timely notification of changes as well as comprehensive history
of changes to an object (instead of change information being restricted to the most recent change that
occurred to the object when a check task is performed).
Agentless nodes such as database or directory servers have limited support for audit event collection.
The process of collecting this information is different from Agent-based nodes as there is no Event
Generator. Instead, TE will pull the audit event information from the application’s event or audit logs to
correlate with the change.
There are two methods to configure audit event collection and/or Real-time Monitoring: single-node
basis or in bulk.
6.2.1 Configure on a Single-node Basis
1. Select the parent group of the node you would like to configure in the Tree Pane.
2. Click on the name link of the node you would like to configure to open its Property Editor.
3. In the resulting Property Editor window, click on the Events tab.
4. On the Events tab, select the opens you desire.
a. To configure audit event collection, mark the “Collect audit-event information”
checkbox. If present, select either “Operating system audit log” or “TE event generator”
in the Event source dropdown.
b. To configure Real-time Monitoring, mark the “Collect audit-event information”
checkbox. Next, select “TE event generator” in the Event source dropdown. Then mark
the “Enable real-time monitoring” checkbox.
5. Click OK to save the configuration.
68 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
6. Ensure that you have baselined rules against the node that have RTM enabled as well. See
Configure Real-time Monitoring for Rules for more information.
6.2.2 Configure in Bulk
1. Select the parent group of the nodes you would like to configure in the Tree Pane.
2. Mark the checkboxes that correspond to the nodes you would like to configure in the Main
Pane.
3. Click on the Events button under the Modify button set on the button bar.
4. In the resulting dialog window, select the opens you desire.
5. On the Events tab, select the opens you desire.
a. To configure audit event collection, mark the “Collect audit-event information”
checkbox. Then select either “Operating system audit log” or “TE event generator” in
the Event source dropdown.
b. To configure Real-time Monitoring, mark the “Collect audit-event information”
checkbox. Next, select “TE event generator” in the Event source dropdown. Then mark
the “Enable real-time monitoring” checkbox.
6. Click OK to save the configuration.
7. Ensure that you have baselined rules against the node that have RTM enabled as well. See
Configure Real-time Monitoring for Rules for more information.
NOTE: Configuring in bulk will not inform you of any nodes that do not support the Event Generator.
69 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
6.3 Create a Custom Node Type
In some cases, you will have devices you need to monitor for which TE has no default, built-in node type.
In these cases, you will want to create a custom node type from which you can create custom nodes
that identify as your new type.
1. Navigate to Settings Manager > Monitoring > Custom Node Types.
2. Click on the New Custom Node Type button.
3. Specify a custom node type name and (optional) description in the resulting dialog window.
4. Click Finish to create the custom node type.
This custom node type will now appear in your list of custom node types. Additionally, it will appear as
an available option under “Custom” when creating a new Network Device node.
70 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
6.4 Create the Custom Node
To create a custom node, follow the same process explained above for creating new objects, but do so
within the Node Manager. Below are some helpful tips to consider when creating custom nodes:
1. When selecting the type of node to create, navigate to Network Device > Custom and select the
custom node type you previously configured.
2. When naming custom nodes, be sure to use an IP address or resolvable fully qualified domain
name (FQDN) for the system you would like to monitor.
71 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3. Select an appropriate communication method. It is recommended that you choose SSH as it will
encrypt your communication between the system and the TE Console. You will need to ensure
the specified ports are open between the TE Console host and the target system.
4. Select an appropriate transfer method. It is recommended that you choose SFTP or SCP as they
will encrypt your communication between the system and the TE Console. You will need to
ensure the specified ports are open between the TE Console host and the target system.
5. Select the appropriate SSH cipher type for the target system and the length of time before a
connection timeout occurs. If the system uses a paging function when viewing long outputs,
enter the pager prompt in the “Pager prompt” field. Add or remove checkmarks as appropriate
for the “Use DOS style line endings” and “Automatically append newlines” settings. You may
have to experiment with those last two options.
72 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
6. When specifying a username and password to authenticate on the target system as, you can
enter a value manually or specify a Global Variable to use. You can even create new Global
Variables from the custom node creation wizard. If you do create a new Global Variable for
either field, name each one something descriptive.
7. If the system you are authenticating to uses a unique log in or log out process, configure the log
in and log out scripts on the respective wizard pages. Click the Add Condition button and specify
a prompt-response pair for each step of the interactive log in or log out process.
73 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
8. When entering version information, you can choose to enter static values or use regex to
capture parts from the output of a command string that you specify. Using the latter option will
provide you with more flexibility if you craft the regex in a reusable way. You can use the
contextual “Help” link for an example usage.
9. Use the Test Login button to validate your credentials and log in/log out scripts.
10. You will want to create custom command output validation rules (COVR) to monitor these
custom nodes. Once your custom node is created, you can baseline the COVR’s against it.
74 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
6.5 Unlicensing a Node
In some cases, you may need to decommission or otherwise take a node out of service. The best process
for doing so is to unlicense the node. This keeps the historical change data in the Console for later
review, but frees up those licenses for additional nodes you may want to monitor. While the node is
unlicensed, no checks or configuration can be performed against the node.
1. Select the parent group of the node you would like to unlicense in the Tree Pane.
2. Select the checkbox that corresponds to the node you would like to unlicense in the Main Pane.
3. Click on the Licenses button under the Modify button set on the button bar.
4. In the resulting dialog window, deselect all marked licenses assigned to the node.
75 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5. Click OK to unlicense the node.
The node name will now include “(unlicensed)” to show that there are no assigned licenses.
Additionally, the node icon will be grayed out.
NOTE: You cannot unlicense the node that corresponds to the local Agent installed on the Console
Server host.
76 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
7 RULE OPERATIONS
7.1 Tune a Rule
As nodes are monitored for changes, there will situations in which you will need to optimize your rules:
For instance, there may be times when you notice “noise”. The term “noise” is applied to certain
elements that change frequently or for elements that are not critical to monitor. It is important
that rules are optimized to tune out this noise so that you are informed of critical changes.
The core OS rules that Tripwire publishes are intended to provide notification of system changes
that impact stability, security, and availability of the monitored system. These default rules have
been refined by Professional Services based upon extensive customer feedback and iterative
tuning on thousands of systems so that they represent “best practices” for OS monitoring. With
that said, these rules will not be a perfect fit for every customer. It will be necessary to make
minor adjustments to these rules to account for changes unique to each environment.
If you create custom application rules, it is critical that you perform rule tuning to appropriately
monitor your desired application with maximum efficiency.
In all of the above cases, rule tuning is necessary to prevent “noise” and optimize the rules. The essence
of rule tuning is to monitor what is important and exclude what is not. The following methods are
helpful when tuning rules:
Adjust the Criteria Set for an Element
o Adjusting the element’s criteria set is a common approach to rule tuning. It provides
flexibility to focus on specific attributes you want to monitor, whether that be
permissions, content, and/or timestamps. For example, if you notice an element’s
timestamps keeps being edited by the OS or an application process, it would be wise to
exclude that attribute from monitoring.
o The best way to implement this method is to create a new start point specifier for a sub-
directory or specific file that needs to have an adjusted criteria set. Applying the new
criteria set to the specifier at this level will ensure the adjustment only applies to this
subset of files/directories.
Limit Recursion on Directories
o When it is important to monitor a directory for existence/ownership but not its
contents, limiting the recursion can be a great tuning method. Examples of good
directories to apply this method to include temp, log, or debug directories.
Utilize Element Filters
o When directories are poorly organized, it can be helpful to only include files of a specific
type, or to exclude all but what you want to monitor. Both include and exclude filters
support wildcards. Just keep in mind that element filters only apply to discrete files and
77 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
not directories. Using element filters is best for dynamic/unreadable or temporary files.
Examples include excluding “pid”, “log”, and “tmp” files.
Utilize Stop Points
o Similar to the above method, it can be helpful to set stop points for particular
directories or files. Stop points are great to stop recursion or to exclude files that cannot
be read or tend to appear/disappear frequently.
Once you have applied tuning to a particular rule, you will want to continue to monitor the nodes and
check for any other tuning opportunities. If you excluded elements as part of the tuning process, you will
want to perform a series of element searches to find and delete the “orphaned” elements that are no
longer monitored. Otherwise they take up database space and contribute to audit events unnecessarily.
78 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
7.2 Configure Real-time Monitoring for Rules
Real-time Monitoring is a two-step process. It must be enabled at the node level as well as the rule level.
NOTE: Not all rule types support RTM.
To enable RTM at the rule level, perform the following steps:
1. Select the parent group of the rule you would like to configure in the Tree Pane.
2. Click on the name link of the rule you would like to configure to open its Property Editor.
3. In the resulting Property Editor window, click on the Real-time tab.
4. On the Real-time tab, mark the “Enable real-time monitoring” checkbox.
5. Click OK to save the configuration.
79 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
8 POLICY OPERATIONS
8.1 Using the Policy Manager
The Policy Manager allows a user to create, import, export, edit, duplicate, organize, and delete policies,
policy tests, or policy groups. Users can also promote, execute, and waive policies. A policy measures
the degree to which configurations of monitored systems are in compliance with an industry or
corporate standard. A policy test determines if a monitored system complies with a specific requirement
of a policy. TE ships with three policy test types: content, attribute, and Windows ACL tests. The Policy
Manager allows you to create custom policies/policy tests or to import and use policies published by
Tripwire (based upon well-established standards such as CIS, PCI, SOX, NIST, DISA, etc.).
The following are some recommendations to consider when using the Policy Manager:
It is best to only import the policies that you really need. Importing policies for platforms you do
not support or for standards you do not need to be compliant with unnecessarily decreases
manageability, consumes database space, and requires additional processing.
To perform operations on policy, policy test, or policy test group objects, you need to have the
“Tests” tab selected on the Main Pane. If “Compliance” is selected, the buttons in the button bar
will be inactive.
After importing new policies, be sure to scope the policies to only the nodes that the policy
applies to. Scoping the wrong nodes (or none at all) will affect the results you get and likely lead
to confusion. Then baseline the nodes with the policy rules to kick off the policy test workflow.
Always import the policy rule XML files into the Root Rule Group of the Rule Manager prior to
importing the policy test XML files into the Root Policy Test Group of the Policy Manager. Failing
to do so will result in an error upon import of the policy test XML file. When viewing the
extracted files you downloaded from the Tripwire Customer Center, look for “Policy_Rules” in
the filename to distinguish the policy rules XML file(s) from the others. The policy test XML file(s)
will have a filename that begins with the name of the standard, such as PCI or CIS.
80 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
When viewing compliance results using the “Compliance” tab, it is helpful to only show results
for nodes scoped by the policy you have selected. To do so, enable the filter by clicking on the
link in the lower-right corner and checking the box to enable it.
By default, any policy score less than 100% is considered “failing”. If you would like to configure
different scoring thresholds to represent different “tiers” or “steps”on the progress to
compliance, you can configure them on the policy’s property editor.
To view the specific pass/fail results for a specific policy test, drill down to the desired policy test
using the Tree Pane, select the policy test, and view the results in the “Compliance” tab of the
Main Pane.
81 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
Each test is reported individually, both graphically and through text to reflect the current test
results. The test is identified in the upper right section of the Main pane.
When you observe a failed policy test, you will need to remediate the issue on the host in order
to pass the test. Viewing the “Remediation” tab of a policy test’s property editor will show you
instructions you can follow to remediate the issue. You can also see this remediation text on
certain reports, such as the Detailed Test Results report (when the “Show Remediation” option
is selected). Once the remediation has been performed, you will need to perform a check of the
node to check for the configuration change. If the remediation has been properly implemented,
you should then see a passing result. Keep in mind that policy tests are like actions in that they
will only be executed when there is a change in the associated element they are scoped to.
One of the best ways to view policy and policy test results is through reports. Be sure to try
various compliance-related reports to find the ones best suited to your desired output. There
are summary reports as well as detailed ones.
82 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
8.2 Creating a Policy Waiver
There may be situations in which your nodes will never be able to pass certain policy tests. It could be
that implementing the configuration change would break some business critical function, or perhaps the
policy test is outside of the scope of compliance required for your organization. Whatever the reason, TE
includes the ability to waive policy test results so that the result is not factored into the policy score.
1. Navigate to the Policy Manager and ensure you have the “Tests” tab in the Main Pane selected.
2. Navigate to the desired policy or policy test you want to apply the waiver to and mark its
checkbox.
3. Click on the New Waiver button from the button bar.
4. In the resulting dialog window, give the waiver a meaningful name. Make sure the correct policy
is selected from the “Policy” dropdown. Then enter the remaining information:
5. Granted by: enter the name of the person or group that granted the waiver, such as an auditor
or perhaps change management.
6. Responsible: enter the name of the person or group responsible for updating the node(s) to
meet compliance.
7. Description (optional): enter a meaningful description for the waiver.
8. Expires: either set the waiver to never expire, or select a time you expect to have the condition
remediated by.
83 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9. Click Next >.
10. Use either the “Add tests with failures” or “Add nodes with failures” button to populate the list
with nodes and tests you would like this waiver to apply to.
11. Click Next >.
12. The following page will list any node and test combinations that are not in scope with this node.
These node-test pairs will be removed from the waiver.
13. Click Finish.
NOTE: You can only waive failed test results. You cannot waive a test in expectation of a future failed result.
84 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
After configuring a waiver, those in-scope node-test pairs will have their failed result excluded from the
policy score. When viewing the overall policy score, you will see a “Score” column for the score with
waivers considered and a “Without Waivers” column for the score without waivers considered.
85 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9 OTHER OPERATIONS
9.1 Configure the Login Method
NOTE: Configuring the Login Method requires the Administrator role.
The Login Method controls how TE authenticates user credentials. There are two authentication
methods available: Password and LDAP/Active Directory. With the Password method, TE authenticates
the username and password provided when logging in against its own database. With the LDAP/Active
Directory method, an LDAP or Active Directory server handles authentication of the supplied
credentials.
NOTE: TE always authenticates the built-in “administrator” user account with the Password method
regardless of the Login Method configured.
By default, Tripwire uses Password authentication. Switching to LDAP/Active Directory authentication is
beneficial for a couple of reasons: 1) the user continues to use their familiar network/domain
credentials to log in to the Console, and 2) user password management occurs within LDAP or Active
Directory (expiration, resetting, etc.) instead of TE.
NOTE: TE does not integrate directly with LDAP or Active Directory. TE simply passes the provided
credentials to the specified directory server for processing and verification. This means that
network/domain users needing access to TE will need to have a user account created for them within
TE. It is critical that the spelling and case of the network/domain username match the TE username
spelling and case. If there are differences between the two, authentication will fail.
TIP: Ensure you have created a TE user account for your personal network/domain user account (or edit
your previous account username to match your network/domain username exactly). Not only will this
serve as your new TE user account, but you can use this account to test the configuration as well!
NOTE: Even after switching to LDAP/Active Directory authentication, new user accounts will still require
a local password to complete the user account creation process. However, the network/domain
password will be used instead of the local password.
To switch to LDAP/Active Directory authentication, navigate to Settings Manager > Administration >
Login Method:
1. Ensure you know the built-in “administrator” passphrase. This will allow you to log in after
enabling LDAP/Active Directory authentication and correct any configuration issues.
2. From the “System login method” dropdown, select LDAP/Active Directory.
86 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
3. Enter the URL for the LDAP or Active Directory server to be used for authentication with the
required ldap:// prefix.
4. Enter the desired User template. It is recommended you use the User Principal Name (UPN)
format “[email protected]” for Active Directory. Other valid formats include Distinguished
Names “CN=$user,CN=Users,DC=example,DC=com” (recommended for LDAP) and the Active
Directory SAM Account Name “example.com\$user”.
5. To encrypt communication between the TE Console server and your specified directory server,
mark the “Connect using SSL” checkbox. This will require SSL to be supported by the specified
directory server. Additionally, you will need to add the server certificate of your directory server
to the TE Console keystore.
6. Click “Apply” to save your new configuration.
7. Log out of TE and log in using your network/domain username to verify connectivity (you made
sure you have an account in TE that matches your network/domain username exactly, right?).
8. If your attempt fails, log in as “administrator” and adjust your configuration. It will be helpful to
consult the Log Manager to see what error you are getting when attempting to authenticate.
Common causes of issues include:
Mistyped directory server URL
Mistyped domain in the user template field
No corresponding user account created in TE
Username in TE does not match spelling/case of network/domain username
You did not import (or incorrectly imported) the root server certificate after enabling SSL
The Tripwire Enterprise 8.3 User Guide has additional instructions for configuring the Login Method on
page 282.
87 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
The Login Method page also allows you to configure an account lockout policy. To do so:
1. Mark the “Enable Account Lockout Policy” checkbox.
2. Configure the desired account lockout duration, threshold, and reset counter time in the
available fields. For most customers, the defaults are fine.
3. Mark the “Notify user on account lockout…” checkbox if you wish to send a notification email to
the user when they are locked out. This option requires the user to have an email address
specified for their account.
4. Configure the email CC, subject, server, and body options as desired. For most customers, the
defaults are fine. If you want to alert the TE Administrator of the user lockout, add their user
account to the CC field.
88 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9.2 Support Data
There are times when having configuration and troubleshooting data for your Agents can be valuable in
diagnosing and resolving Agent issues. Furthermore, Tripwire Support will request this data when
assisting you. You can generate a support bundle (a zipped archive of Agent configuration and
troubleshooting data) through the Console:
1. Navigate to the Settings Manager > System > Support Data page.
2. Click on the Collect… button.
3. In the resulting dialog window:
a. Enter an optional Tripwire Support case number in the field.
b. Keep the checkbox for “Include files from the TE Server’s agent” selected if you would
like to generate a support bundle for the TE Console’s local Agent. Otherwise uncheck
the checkbox.
4. Click on the Next > button
5. Click the Add button.
6. In the resulting dialog window, navigate the tree and select a node or node group you would like
to generate support bundles for. Your current selection appears in the “Selection” field.
7. Click Add if you would like to add the current selection and have the opportunity to add
additional selections. Click OK if your current selection is adequate and you would like to close
the window.
89 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
8. Your added selections will be listed in the original dialog window. Click Finish to generate the
support bundle(s). You will be prompted to save the file.
9. Once you have the support bundle, you can extract the contents to view the data yourself or
provide it to Tripwire Support, if requested.
TIP: It is not recommended to select the “Root Node Group” as this will result in connections to every
Agent monitored by Tripwire and result in a large zip file. Similarly, be mindful of selecting node groups
with large numbers of Agents for the same reason.
90 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9.3 Create a Promotion Approval Template
By default, promoting element changes requires you to enter a comment and optional approval
identifier. If you regularly promote element changes for the same reason (such as a “business as usual”
change), configuring a promotion approval template allows you to apply the same comment and
approval identifier to those promotions. This makes the process more efficient for those individuals
responsible for promoting changes by saving time and providing consistent verbiage when promoting
those similar changes.
1. Navigate to the Settings Manager > System > Approval Templates page.
2. Click on the New Approval Template button.
3. In the resulting dialog window, specify an approval template name and (optional) description.
4. Click Next.
91 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5. Specify a promotion comment and/or approval identifier. Approval identifiers are commonly a
username or change request ID for the approved change. You can use a date variable if you
would like to include the date/time of the promotion in either the comment or approval ID. Click
on the “Help” link for specific uses of the date variable.
6. Click Finish to create the approval template. Your approval template is now listed on the
Approval Templates page and is available to select when using the promotion workflow.
NOTE: You can also configure a new approval template when using the promotion workflow.
TIP: One strategy is to keep placeholders in your approval template (see screenshots above) to make
them more flexible. When you choose an approval template to use when performing the promotion,
you will have an opportunity to edit the values of the comment and approval identifier fields at that
time.
92 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9.4 Using Home Pages
Home pages are configurable pages that display information about TE or monitored systems through
dashboards, reports, alerts, and more. The Home Page Manager is typically used by managers or other
non-administrative users, who have little or no need to access data from different manager
components, to get a quick overview of the state of their environment. The first time you log in to the
Console you will be directed to the Home Page Manager where you will see any home pages that have
been assigned to you.
The Home Page Manager has a Configuration Pane on the left and a Main Pane on the right. You can
collapse the Configuration Pane by clicking on the “<<” button in the pane’s upper-right corner. A home
page can contain up to three configurable rows containing up to four columns. In other words, it could
contain merely a single region, or it could contain 12 regions. You can expand or collapse a row by
clicking on the arrow at the top or bottom of the Main Pane (the row “delimiter”). You can resize rows
by adjusting the row delimiter, as well. To add or remove columns, click on the gear button in the upper-
left corner of each region and select the desired number of rows.
Once you have defined the regions of your home page, you can then add widgets. On the Configuration
Pane, you can access widgets from the Widgets tab. Then simply drag and drop a widget into the desired
region. Widgets allow you to display various information about your monitored systems, including
alerts, reports, dashboards, and more.
Home pages can be created from either the Home Page Manager or the Settings Manager. Once
created, you will need to assign a home page to a user before they can view it. Home pages can only be
93 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
configured from the Home Page Manager, however. It is wise to create the reports and dashboards you
would like to see on the home page first. Then you can create your home page and configure the
widgets within it.
Below are some recommendations to keep in mind when creating home pages:
Home pages are generally "role-specific." For example, typical home pages might display data
unique to Security Configuration Management, File Integrity Monitoring, Security,
Administration, etc. This allows you to granularly assign users with specific roles to specific
home pages.
Home pages may be created either from the Settings Manager or the Home Page Manager.
Creating them from the Settings manager allows you to do three things: create the new home
page, assign pre-existing users to it, and import/export pages from or to an XML file. You must
move to the Home Page Manager to perform the actual configuration of any newly created
home page. The Home Page Manager allows you to do all of the previously mentioned steps
except import/export of home pages. You may find it easier to assign users to home pages from
the Settings Manager because you can quickly access the user list from that location to see both
the user account and description. This is most helpful when user logins are not easily associated
to the user name.
Home pages are built using "widgets". Widgets are customizable home page components that
come in a few types. Commonly used types include dashboards (graphical reports), non-
graphical reports, and alerts for specific log messages.
If you haven't already created your graphical and non-graphical reports or dashboards, navigate
to the Reports Manager and build them before creating your home page. You will then have
content to add and configure.
NOTE: Completing the Fast Track process will create certain home pages for you. These give you a start
and can then be configured later.
1. Navigate to the Settings > Administration > Home Pages the page.
2. Click on the New Home Page button.
3. In the resulting dialog window, specify a home page name and (optional) description.
94 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
4. Click Next.
5. Select the users you would like to assign the home page to from the “Available Users” panel
(left-side) and click on the add arrow (right-pointing arrow). Your selection(s) will appear in the
called “Assigned Users” panel (right-side). If you added a user you do not want assigned to the
home page, select them from the “Assigned Users” panel and click the remove arrow (left-
pointing arrow).
6. Click Finish.
7. Navigate to the Home Page Manager. Expand the Configuration Pane if it is not already
expanded.
8. Select the home page you created from the tabs at the top of the Main Pane.
95 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9. At this time it is best to adjust your layout to create the desired number of regions.
10. Select the “Widgets” tab in the COnfiguraiton Pane. To add a widget, click on the widget type.
11. When prompted if you would like to continue or not, either select “Continue” or “Do not Ask
Again” if you want to avoid future prompts for each action you take on this home page.
12. New widgets are added to the middle row by default. You may want to move them to either the
top or bottom rows by clicking and dragging the widget using its title bar.
13. Click the gear button in the upper-right corner of the newly added widget.
14. In the resulting dialog window:
a. Specify a more meaningful name for this widget. This name will be visible on the home
page.
b. Depending upon the type of widget you selected, you may have additional options to
configure. For example, adding a dashboard widget requires you to navigate the Tree
Pane and select the desired dashboard to display in the widget.
96 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
15. Click OK. The new widget now appears in the home page as configured.
16. Depending upon the type of widget you added, there may be an additional configuration step
required. For example, the alert widget requires you to click on the “Alert on…” button to
specify the source for the alerts you want to view.
17. You can now add additional widgets and/or adjust the layout as needed. When you are finished,
you will likely want to collapse the Configuration Pane to maximize your viewable space.
97 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9.4.1 Alerts Widget
Follow the steps above to add the alerts widget. Once you specify a name for the widget by using the
gear button (step 14), you will need to perform some additional configuration.
1. Click the Alert on… button and select the desired source for the alerts. Continue to add alerts as
you see fit.
2. Click on the gear button to access the options for the alert. This allows you to set the scope for
or delete the alert, clear the data, etc. Scoping the alert allows you to only receive alerts for the
specified nodes or some other factor.
3. From the gear menu, click on the Configure button.
4. In the resulting dialog window:
a. Click the manilla folder icon(s) to select the node/node groups or policy/policy test
groups to scope the alert to.
b. Depending upon the alert type you’ve added, you may have additional options to set.
5. Click OK. Your alerts widget is now configured. If you want to only show active alerts, uncheck
the “View All” checkbox.
98 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
9.5 Create a Custom Property
There may be specific situations in which you need to define a specific property for a node, element, or
version. Besides using smart node groups to accomplish your goal, you can also use a custom property.
A custom property is a user-defined property that you can apply to a node, element, or version. These
properties can then act as a filter used in various operations or features such as actions or reports.
Examples include automatically promoting and element version when the parent element has a specific
property, producing a report that either includes or excludes nodes with specific properties, etc.
The most common usage of this feature is to apply properties to either nodes or elements. Of the
element properties, the most common usage is to create a “business-as-usual” (BAU) property. This
property is applied to elements whose changes should be automatically promoted as they are of a
common, business-as-usual nature. In this specific example, the default value of the BAU property
would be “false” for all elements. Only those elements meeting the BAU criteria would have the
property set to “true”.
The process to create a custom property is the same for node, element, and version properties. The only
difference is when page you create the property in.
1. Decide if you are creating a node, element, or element version property. Then navigate to the
Settings Manager > Custom Properties > Version Properties, Element Properties, or Node
Properties page, depending upon your decision.
2. Click on the New Property button.
3. In the resulting dialog window, select the property type you would like to create.
4. Click Next.
99 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services
5. In the resulting dialog window, specify a property name and (optional) description.
6. Click OK.
7. Specify your desired options:
a. The “Inherit the default if no value is specified” checkbox determines whether or not
the object will inherit the property’s default value if a custom value is not specified for
the object. You most likely want this checked.
b. The “Editable in property editor” checkbox determines whether or not users can enter a
custom value for the object. You most likely want this checked.
c. Enter a default value for the property in the “Default value” field. This may be Yes/No, a
number, or some other value depending upon the type of property you are creating.
d. Specify the remaining options available to you. These may be additional values or simply
additional options for the property. For questions about these remaining options, click
on the “Help” link.
8. Click Finish. The custom property is created and associates itself with every object of its type
(node, element, or element version) using the default value.