using tripwire enterprise 8 - university at buffalo · 2020-01-06 · the using tripwire enterprise...

USING TRIPWIRE ENTERPRISE 8.3 SUPPLEMENTAL GUIDE

TRIPWIRE PROFESSIONAL SERVICES

v2.1

1 | Using Tripwire Enterprise 8.3 | Tripwire Professional Services

TABLE OF CONTENTS

Table of Contents .......................................................................................................................................... 1

1 About this Guide .................................................................................................................................... 4

1.1 Revision History ............................................................................................................................ 4

2 Introduction to Tripwire Enterprise ....................................................................................................... 5

2.1 Exploring the Console Interface .................................................................................................... 6

2.1.1 Manager Bar and Tabs .............................................................................................................. 6

2.1.2 Button Bar ................................................................................................................................. 6

2.1.3 Interface Toolbar ....................................................................................................................... 8

2.1.4 Tree Pane and Main Pane ......................................................................................................... 8

2.1.5 Status Bar .................................................................................................................................. 9

2.2 Managers and Objects ................................................................................................................ 10

2.3 New Features in Tripwire Enterprise 8.3 .................................................................................... 12

3 Getting Started .................................................................................................................................... 13

3.1 Installing Tripwire Enterprise ...................................................................................................... 13

3.2 Accessing the Console ................................................................................................................. 13

3.3 Fast Track .................................................................................................................................... 14

3.4 Logging In to the Console ............................................................................................................ 20

3.5 Change Your User Password ....................................................................................................... 21

3.6 Setting User Preferences ............................................................................................................ 22

3.7 Check the Version of Tripwire Enterprise ................................................................................... 23

4 Using Asset View .................................................................................................................................. 24

4.1 Tagging Best Practices ................................................................................................................. 25

4.1.1 Guidelines for Using Tags ........................................................................................................ 25

4.1.2 Tagging Tips and Tricks ........................................................................................................... 25

4.1.3 Tagging Strategies ................................................................................................................... 26

4.2 Filtering Assets ............................................................................................................................ 27

4.3 Viewing and Selecting Assets ...................................................................................................... 28

4.4 Manually Applying Tags to Assets ............................................................................................... 29

4.5 Working with Tags and Tag Sets ................................................................................................. 30

4.6 Working with Saved Filters ......................................................................................................... 31


4.7 Working with Tagging Profiles .................................................................................................... 32

5 Standard Operations ............................................................................................................................ 33

5.1 Create a Group ............................................................................................................................ 33

5.1.1 Node Groups ........................................................................................................................... 34

5.1.2 Smart Node Groups ................................................................................................................. 34

5.2 Create an Object ......................................................................................................................... 36

5.2.1 Create a Rule ........................................................................................................................... 37

5.2.2 Create a Task ........................................................................................................................... 42

5.2.3 Create an Action ...................................................................................................................... 44

5.2.4 Create a Report ....................................................................................................................... 44

5.3 Move an Object ........................................................................................................................... 47

5.4 Link/Unlink an Object .................................................................................................................. 48

5.4.1 Link a Node .............................................................................................................................. 49

5.5 Delete an Object ......................................................................................................................... 50

5.5.1 Delete a Node ......................................................................................................................... 50

5.6 Import/Export an Object ............................................................................................................. 52

5.7 Baseline a Node .......................................................................................................................... 54

5.8 Check a Node .............................................................................................................................. 56

5.9 Viewing Changes ......................................................................................................................... 57

5.10 Promoting Changes ..................................................................................................................... 59

5.11 Viewing Reports and Dashboards ............................................................................................... 63

6 Node Operations.................................................................................................................................. 65

6.1 Onboarding Agent Nodes ............................................................................................................ 65

6.1.1 With Smart Node Groups Enabled .......................................................................................... 65

6.1.2 Without Smart Node Groups Enabled (Legacy Feature) ......................................................... 65

6.2 Event Generator and Enable Real-time Monitoring ................................................................... 67

6.2.1 Configure on a Single-node Basis ............................................................................................ 67

6.2.2 Configure in Bulk ..................................................................................................................... 68

6.3 Create a Custom Node Type ....................................................................................................... 69

6.4 Create the Custom Node ............................................................................................................ 70

6.5 Unlicensing a Node ..................................................................................................................... 74

7 Rule Operations ................................................................................................................................... 76


7.1 Tune a Rule ................................................................................................................................. 76

7.2 Configure Real-time Monitoring for Rules .................................................................................. 78

8 Policy Operations ................................................................................................................................. 79

8.1 Using the Policy Manager ........................................................................................................... 79

8.2 Creating a Policy Waiver ............................................................................................................. 82

9 Other Operations ................................................................................................................................. 85

9.1 Configure the Login Method ....................................................................................................... 85

9.2 Support Data ............................................................................................................................... 88

9.3 Create a Promotion Approval Template ..................................................................................... 90

9.4 Using Home Pages....................................................................................................................... 92

9.4.1 Alerts Widget .......................................................................................................................... 97

9.5 Create a Custom Property ........................................................................................................... 98


1 ABOUT THIS GUIDE

The Using Tripwire Enterprise 8.3 Guide provides a task-focused look at operating Tripwire Enterprise

(TE). The goal of this document is to empower you with clear instructions to accomplish specific tasks

and procedures within TE. The result is a practical look at operating TE to realize its maximum benefit.

NOTE: This guide is designed to complement, rather than replace, the Tripwire Enterprise 8.3 User

Guide. The User Guide provides a more comprehensive overview of TE functionality.

1.1 Revision History

This document has been updated to reflect improvements and new features available in TE version 8.3.

For specific details on the revision history, please consult the table below:

Date Author(s) Version Change Reference

9/2/2011 Gail Powell Version 1.0 TE 8.1 Initial Draft

9/22/2011 Gail Powell Version 1.1 TE 8.1 Final Draft

4/18/2014 Daniel Kuhn Version 2.0 TE 8.3 Update Draft

5/21/2014 Daniel Kuhn Version 2.1 Minor Updates


2 INTRODUCTION TO TRIPWIRE ENTERPRISE

Tripwire Enterprise (TE) is a File Integrity Monitoring (FIM) and Security Configuration Management

(SCM) tool designed to be flexible in its monitoring of changes to systems, devices, and applications. TE

supports file servers, database servers, directory servers, network devices, and virtual infrastructure

systems out of the box. There is additional functionality to support other devices and systems through

the use of custom nodes.

The change detection core of TE can be understood with the knowledge of a few terms:

A node is a monitored device or system. Examples of nodes include file servers, database

instances, or even network devices. TE supports many different node types.

A rule defines a set of data to monitor. This could be a specific file or directory, or it could be the

results of a database query or command, for example. Just like there are many node types,

there are many rule types.

When you perform a check of a node with a rule, the result is an element. An element is the

monitored data, as defined by the rule and returned by the node.

An element, itself, is made up of versions. Think of an element version as a snapshot of the

monitored data at some point in time.

TE looks for changes to monitored elements. The first time a rule is ran (or “checked”) against a

node, a baseline element version is created. This baseline version is what future checks are

compared to when TE is looking for changes. (The process of performing this initial check of a

rule against a node is also called “baselining”, as the baseline element version is what results.)

If a change is detected, TE classifies the change as one of three types: addition (a file is added,

for example), deletion (a file is deleted, for example), or the most common, modification (the

contents of a file or its attributes have changed, for example). This detected change is then

saved as a new element version of that change type.

As you can imagine, over time TE will keep adding to this element history by creating new

change versions when changes are detected. In situations when the change that TE detected

was expected or known (in other words, a “good” or “authorized” change), a user can promote

that newly detected change version to become the new baseline version. This new baseline

version becomes the “current baseline” version for which future checks are compared against,

and the change detection process continues as before.

This interaction of nodes, rules, elements, and versions defines the core of TE.


2.1 Exploring the Console Interface

The Console Interface is a web-based GUI that provides a means to operate, administrate, and maintain

TE. The Console Interface is comprised of two main panes and multiple toolbars and tabs.

2.1.1 Manager Bar and Tabs

The Manager Bar provides easy access to each of the different Managers within TE. Each Manager

controls a different component of TE. The tools and actions available in each Manager are unique to the

functionality of its component. For a description of each Manager, see Managers and Objects.

Navigating between Managers is as simple as clicking on the desired Manager from the Manager Bar.

Selecting a Manager from the Manager Bar displays a set of Tabs along the top of the interface (just

below the Manager Bar). Each Tab contains a sub-set of functions and data for the selected Manager.

2.1.2 Button Bar

The Button Bar consists of buttons that initiate TE functions. The actual buttons available in the bar

depend upon the currently selected Manager and Tab.

Additionally, some Managers have expandable button sets that are toggled by clicking the

corresponding special button (such as those special buttons labelled “Manage”, “Control”, or “Modify”).

The toggle state can be observed by looking for the direction of the black arrow to the right of the label


on these special buttons. If the arrow is pointing to the left, the button set is expanded. If the arrow is

pointing to the right, the button set is collapsed.

NOTE: Some buttons in the button bar may be disabled until you select an appropriate object for that action. Similar to the Manager bar, some buttons may be permanently disabled based upon the permissions granted to your user account.

The label button (far left-side of the button bar) toggles the display of text labels through three states:

Show all labels

Hide all labels

Show the label of a button only when you hover over the button

If the label button appears as follows, all labels are shown:

If the label button appears as follows, all labels are hidden:

If the label button appears as follows, labels are shown as you hover over the button:


NOTE: The “Import” button has been hovered over and its label is displayed. No other labels are

displayed.

Toggle the different views by clicking on the label button until you find your preference.

2.1.3 Interface Toolbar

The Interface Toolbar is located in the upper-left corner of the window just below the Manager bar.

While this toolbar is present across nearly all TE windows (including pop-ups), the specific buttons

within the toolbar depend upon the window context. This toolbar consists of three buttons:

The Refresh button updates displayed data with the latest information. It is recommended that you do

not use your web browser’s refresh button to refresh data in the TE interface.

The Help button opens TE’s in-application, context-sensitive help system.

The Logout button ends the current user session. This is preferable over simply closing your web

browser since it gracefully closes all tables, indices and releases your session.

2.1.4 Tree Pane and Main Pane

The Tree Pane displays the hierarchy of groups used to organize objects in the selected Manager. If you

select an object in the Tree Pane, information about that object is displayed in the Main Pane. For

example, selecting a group from the Tree Pane will display all objects within and sub-groups of the

selected group in the Main Pane. To execute an operation on an object (such as a rule check, promotion,

or other activity), you must first select the object’s parent group in the Tree Pane. Then select the object

from the list in the Main Pane and initiate your desired operation. Below is an example from the Node

Manager.


Users can “drill down” using the Tree Pane. Any place you see a “+” icon adjacent to an object, it means

there are children underneath it. Clicking the “+” will expand the object so its children are visible.

For example, when looking at the Node Manager, you will be able to expand the Root Node Group to

find a few children node groups. Expanding those will likely reveal more children node groups. Selecting

a node group from the Tree Pane will display the nodes (and possibly node groups) it contains in the

Main Pane. Ultimately selecting a node from the Tree Pane will display either the rules and /or rule

groups baselined against the node (if the “Detailed node view” Tree Option is enabled, which it is by

default) or all of the associated elements for that node in the Main Pane. This process of expanding

deeper into the tree is known as “drilling down”.

NOTE: If you have the “Detailed node view” Tree Option enabled (as it is by default), you will be able to

“drill down” past the node level as well. Doing so will reveal the rules and rule groups that have been

baselined against the node. Selecting a rule group object from the Tree Pane will display the rules (and

possibly rule groups) it contains in the Main Pane. Ultimately selecting a rule from the Tree Pane will

display the associated elements that exist from that node and rule combination in the Main Pane.

2.1.5 Status Bar

The Status Bar is located at the bottom of the window and displays the name of the current user and

which Manager they are viewing. Certain Managers also support a filter to control which objects are

visible. You can click on the username to view and edit the settings for that user account. Similarly, you

can click on the filter status to view and edit the filter settings for that Manager.


2.2 Managers and Objects

TE functionality consists of several different components. Each Manager controls a different component

of TE. You use each Manager to manage different types of objects, some of which are unique to specific

Managers.

Home Page Manager

o Allows a user to create, edit, duplicate, organize, assign, or delete home pages. Home

pages are configurable pages that display information about TE or monitored systems

through dashboards, reports, alerts, and more. This Manager is typically used by

managers or other non-administrative users, who have little or no need to access data

from different manager components, to get a quick overview of the state of their

environment.

Node Manager

o Allows a user to create, import, export, edit, duplicate, organize, delete, check, baseline,

and promote nodes and node groups. Users can also manage file system agents and

licensing of nodes. Nodes represent monitored assets (servers, systems, devices, etc.).

TE ships with a variety of supported node types such as file server, database server,

directory server, network device, and virtual infrastructure nodes. The Nodes tab of the

Node Manager has historically been the place to manage all facets of nodes, but that is

changing. The Asset View tab contains Asset View, which is inheriting the administrative

and operating features of the Nodes tab. This transition is intentional, as moving from a

static tree hierarchy of asset management to a dynamic tag-based system provides

many benefits. The most visible example of this transition is the presence of both

regular Node Groups and Smart Node Groups. Regular Node Groups are managed

through the Nodes tab while Smart Node Groups are managed through Asset View. For

more information, see Using Asset View.

Rule Manager

o Allows a user to create, import, export, edit, duplicate, organize, or delete rules or rule

groups. Rules define the data and/or objects to be monitored on a node. TE ships with a

variety of rule types such as file server, database server, directory server, network

device, and virtual infrastructure rules.

Action Manager

o Allows a user to create, import, export, edit, duplicate, organize, or delete actions or

action groups. Actions initiate a response to changes detected by TE or failures

generated by policy tests. TE ships with a variety of action types such as e-mail

notification, auto-promote, SNMP, syslog, and content conditional actions. Actions can

be applied to nodes, rules, or tasks.


Task Manager

o Allows a user to create, import, export, edit, duplicate, organize, delete, enable/disable,

and execute tasks or task groups. Tasks run a TE operation on a manual or scheduled

basis. TE ships with three task types: check rule, baseline rule, and report tasks.

Policy Manager

o Allows a user to create, import, export, edit, duplicate, organize, and delete policies,

policy tests, or policy groups. Users can also promote, execute, and waive policies. A

policy measures the degree to which configurations of monitored systems are in

compliance with an industry or corporate standard. A policy test determines if a

monitored system complies with a specific requirement of a policy. TE ships with three

policy test types: content, attribute, and Windows ACL tests.

Log Manager

o Allows a user to view, search, export, and delete log messages. A log message is a

record of user or network activity created by TE. It contains who, what, where, and

when data for each user action.

Report Manager

o Allows a user to create, import, export, edit, duplicate, organize, or delete reports,

dashboards, or report groups. Reports compile and display data about the monitored

systems in TE. Dashboards are a user-defined collection of reports that are generated at

the same time.

Settings Manager

o Allows a user to control the features, application parameters, system preferences, and

user preferences for TE.


2.3 New Features in Tripwire Enterprise 8.3

New licensing options. You can now license individual monitored assets for Change Auditing,

Policy Management, or both for an Integrated Security Configuration Management (SCM)

solution. In previous versions of Tripwire Enterprise, a node required a Change Audit license to

enable Policy Management functionality, but these license types can now be applied

independently.

Enhanced workflow for managing nodes and resolving errors in Asset View. You can now

restart, enable, and disable multiple nodes from the Asset View tab at the same time. In

addition, you can test the connection to file system nodes from the Asset View tab to help

diagnose connection errors.

Support for SCAP-based content. The SCAP (Security Content Automation Protocol) 1.2

standard is an emerging collection of standards developed by the NIST (National Institute of

Standards and Technology). Tripwire Enterprise can be used to import SCAP-based content,

interact with that content, run scans, and view scan results. In Tripwire Enterprise 8.3, this

functionality is available via an API. For more information on using TE with SCAP-based content,

see the Tripwire Enterprise SCAP Guide.

Improved performance when a server node is unreachable. When Tripwire Enterprise cannot

access a file server node during a baseline operation or version check, it now skips all other

attempts to contact that node using other rules. This reduces the time required to complete the

task. TE will also apply a Connection Error tag to the node in Health Check to reflect the fact that

it was unreachable. Once the connection issue is resolved, baseline or version check operations

on the node will resume normally.

Troubleshooting assistance during installation or migration. If you encounter problems while

installing or updating Tripwire Enterprise Console, a new error console displays database

settings and detailed error information to help you to troubleshoot the problem.


3 GETTING STARTED

3.1 Installing Tripwire Enterprise

For instructions on installing TE, please see the Tripwire Enterprise 8.3 Installation & Maintenance Guide.

3.2 Accessing the Console

Once TE has been installed, you can access the Console by navigating to the IP address or hostname of

the Console Server (over HTTPS) in a supported browser:

https://<TE Console Server hostname>

https://<IP address of the TE Console Server>

The following are examples of valid methods to access the Console:

https://tripwire

https://tripwire.domain.com

https://192.168.1.100


3.3 Fast Track

You will encounter Fast Track the first time you access the Console post-installation. Fast Track will

dramatically speed up the time it takes to configure TE. You will be presented with a questionnaire that

Fast Track will use to install and configure the selected components. Fast Track is a one-time

configuration tool. You will not be able to access it again once you have completed the process.

1. Click the “Configure Tripwire Enterprise” button to begin.

2. Click the “Browse” button, navigate to the location of your TE license file (which should have a

.cert file extension), and select it.


3. Select your desired solutions and policies.

4. Specify the platforms you would like to monitor. Platforms that you are licensed for are

highlighted in the “Available Platforms” pane (left side). Platforms you select from the “Available

Platforms” list will appear in the “Selected Platforms” pane (right side).


5. Using the dropdown controls, adjust the task schedules to meet your business needs. Fast Track

allows you to schedule tasks in one hour intervals. If you require greater granularity in your task

scheduling, you can adjust these times through the Task Manager after you complete Fast Track.


6. Configure your email server by filling in the appropriate SMTP host details and desired sender

email address. If your email server requires authentication, select the checkbox and enter the

additional account information. Use the “Test the connection” box to test your configured

settings. The results of the test will be displayed in the “Connection Results” textbox. If you

would rather configure your email server at a later time (in the Settings Manager), select the

second radio button.

7. Create an Administrator account. This user will be granted full permissions. Additionally, be

mindful of the password policy when creating the user’s policy. If desired, this password policy

can be adjusted later through the server.properties file.


8. Click the “Preview Configuration” button to review your selected configuration. The Fast Track

Manifest will list which items will be applied to your configuration and which are not supported

(due to unique platform/monitoring configuration combinations you may have selected). It is

recommended that you save the Fast Track Manifest for later review. To do so, either save the

web page, or copy and paste the contents to a text editor like Notepad and save the result.

9. While reviewing the Fast Track Manifest, if you determine a correction is needed, click on the

“Edit Configuration” button. Once you are satisfied with the configuration, click “Apply

Configuration”. Do not forget to save the Manifest if you desire.

10. Fast Track will now configure TE according to your specifications. You can track the progress on

the next page. When Fast Track completes, it will state “Finished!”


11. Click the “Continue to Tripwire Enterprise” button to be redirected to the Console login page.

You can now log in with the admin user account you created during Fast Track.


3.4 Logging In to the Console

When accessing the Console, you will be presented with a login page. This page will prompt you for a

username and password, which should have been supplied to you by the Tripwire Administrator. If

Active Directory/LDAP authentication has been configured, then your username and password are your

network/domain credentials. Once you have entered your username and password, click the “Sign In”

button.

NOTE: TE displays times and dates in American English format by default. To display times and dates in a

different locale, change the Locale setting when you log into the software. Changing the locale setting

does not provide localization support (translate the text to a different language).


3.5 Change Your User Password

There will be times when it is necessary to change your user password. If your Tripwire Administrator

initially provided you with your username and password, you will want to change your password after

logging in to the Console for the first time.

1. Ensure your implementation of TE is not using Active Directory/LDAP authentication (otherwise

changing your password through TE will have no effect). If you aren’t sure, check with your

Tripwire Administrator.

2. Log in to the Console and navigate to any manager except the Home Manager.

3. Click on your username in the lower-right of the page (right side of the Status bar).

4. On the resulting user account dialog window, select the “Password” tab.

5. Enter your existing (current) password in the “Current password” field. Enter your desired new

password in the “New password” field and again in the “Confirm” field.

6. Click “OK” to save your changes and close the dialog window.


3.6 Setting User Preferences

Upon logging in to the Console, you will be viewing the Home Page Manager by default. You may change

this default log in behavior as well as a myriad of other user-specific preferences on the Settings

Manager > User > Preferences page. Commonly adjusted settings include the “Always login to Home

Page”, “Display exact table count”, “Table page size”, and “Max version display” preferences. Keep in

mind that these preferences control the behavior and display settings of the Console Interface for only

your user. Detailed descriptions of each setting can be found in the contextual help link within the

Interface Toolbar.

NOTE: Use caution when enabling the “Display exact table count” preference as this will force TE to

retrieve all applicable objects from the database for any query you perform (instead of loading the

objects in batches of 5000). For queries involving a large number of objects, you will likely see a

performance impact with this preference enabled (and very likely a delay before the page completely

loads).

In certain circumstances, it can be beneficial to adjust the contextual difference settings. These settings

are found on the Settings Manager > User > Differences page. These settings control the use of context

lines when you compare two element versions in the Difference Viewer.


3.7 Check the Version of Tripwire Enterprise

There are certain situations in which it is helpful to know the specific version of TE you are currently

running. Thankfully it is very simple to check the version.

1. After logging into the Console, click on the TE logo in the upper-left corner.

NOTE: You will need to make sure you have disabled your pop-up blocker and/or whitelisted the TE

Console web application.

2. In the resulting pop-up window, you will clearly see the version string. The major and minor

version numbers comprise the first three integers in the version string. In the following

screenshot, TE is running at version 8.3.3.

3. When you are finished, close the window.


4 USING ASSET VIEW

You can view and manage your assets (nodes) based upon the tags assigned to them in the Asset View tab. Asset View is accessed from a separate tab of the Node Manager. The Asset View tab consists of three main components:

The left pane is the Asset Filter, where you can apply filters to change the assets displayed in the Asset List.

The middle pane is the Asset List, which displays assets that match the criteria in the Asset Filter pane. You can examine the properties of the assets displayed here, or add them to the current section.

The right pane is the Selection Information pane, which displays assets that are currently selected. In this pane, you can also open the Tags Drawer to assign tags to assets or change the tags that are currently assigned.

Each object in the Nodes tab of the Node Manager is represented by an asset in the Asset View tab. Using tags allows you to manage your assets more efficiently with fewer resources. Tags enable you to organize, view, and control assets using whatever criteria are most important to you—for example: business unit, operating system, policy, risk, owner, or applications installed. Since tags and filters are easy to change, you can quickly reconfigure and reorganize your assets as your business evolves.


4.1 Tagging Best Practices

Before you begin working with tags and tag sets, it is a good idea to identify some key attributes or distinctions that you can use as a starting point to classify your assets. Use the following best practices to help identify beneficial distinctions you can make.

4.1.1 Guidelines for Using Tags

Start small. Do not try to lay out your entire tag-based classification before you start applying

tags. Choose a tag and apply it appropriately. See what you learned there, and then move on.

You are going to see value in doing even a little bit of tagging, and you should feel free to iterate

on your tagging at your own pace.

Tags and tag sets should represent a single group or type. Do not join concepts with “and” or

“or” in a single tag or tag set. For example, avoid creating tags like

Location:Seattle&Portland or Application&Role:Exchange Server. Instead,

create Location:Seattle and Location:Portland. You can easily combine these tags

while filtering if you do want to see assets that are either in Seattle or Portland, but it may be

hard to make that distinction later if you report on a single combined tag.

All tags should have semantic value in themselves. Tags should mean something when read,

even out of context. When creating tags, consider how they might appear on a report. Avoid

tags like Risk:2 or Vulnerability:3 and instead use Risk:Medium or

Vulnerability:Low.

Use tagging profiles to automate the tagging process. If you can tell programmatically what tag

should be applied for a given situation, create a tagging profile to apply it automatically. Tagging

profiles will take much of the work out of applying tags, and ensure that you are up to date as

new assets come online.

Use affirmative tags whenever possible. Instead of creating tags like Policy:Not PCI, use

the default Untagged tag to reflect the absence of a state. In some cases, it may be useful to

have a tag like Location:Unknown, however.

Avoid abbreviations. Avoid tags like Server Role:DC and instead spell out Server

Role:Domain Controller. When working with a single group or type, there is almost

always room to write it out completely.

Avoid creating more than 2000 tags. Asset View currently performs best with 2000 or fewer

tags, and will become less responsive as you approach and exceed the 2000 tag mark.

4.1.2 Tagging Tips and Tricks

Viewing the intersection between two or more tags from the same tag set. To see assets that

have the tags Business Unit:Commercial and Business Unit:Sales, filter in

Asset View using one of the tags and then type the other tag in as a keyword search. You will

always get the intersection between a tag and a keyword.


To add a third tag, save the previous tag and keyword combination as a saved filter and use that

saved filter to filter assets. Then type in a third tag as a keyword search. You will always see the

intersection between a tag and a saved filter, even if the tags in the saved filter come from the

same tag set as the individual tag.

Use the counts in the filter pane to provide additional context to any tag selection. As soon as

you filter by a tag, all of the other tag counts update. That means that you only have to look at

the counts next to the other tags to see how they relate to your selected tag.

For example, if you click on Priority:Critical and then look in the Owner tag set, you

will immediately know which owners have critical assets, just by looking at the counts. The only

caveat here is that tag counts will not provide interaction information for tags within the same

tag set.

Use saved filters in Asset View as a shortcut for tag combinations that you filter on frequently.

Saved filters enable you to combine combinations of tags to schedule checks, filter reports, etc.

However, you can also use saved filters in the Asset View tab to quickly view assets that you are

interested in. For example, you could quickly identify all of the high priority assets in Portland

that are in scope for PCI by creating a saved filter with Priority:High,

Location:Portland, and Policy:PCI tags specified.

4.1.3 Tagging Strategies

With tags, you can organize your assets any way you want to, but the strategies in this section show some of the patterns that have worked well so far.

Tag for policies: this is typically based on operating system information and role.

Tag for check rule tasks: this is frequently done based on location and/or business unit, but it

depends on how you segment your assets to time their checks.

Tag for reports: this will include tags like Priority and Owner, but it can include a many more.

These tags give context to the results of your reports.

Tag for asset management: this can include tags like Priority and temporary tags like

Status:Decommissioned or Status:New. You can use these tags when you need to

work on an asset.


4.2 Filtering Assets

The first time you load Asset View, there will be no filters applied and you will see all of your assets displayed in the Asset List (middle pane). You can filter your assets using the Asset Filter (left pane):

Filter assets using keywords: you can enter one or more strings into the keyword search field at

the top of the pane and TE will display any asset that contains the search string in its name, IP

address(es), or associated tags.

Filter assets using the tags assigned to them: expand either Tag Sets, System Tag Sets, or

Operational tag Sets and select one or more tags.

Filter assets using Saved Filters: expand Saved Filters and select one or more saved filters.

NOTE: When multiple filter criteria are specified, TE interprets criteria in the same tag set or saved filter using a logical OR operator. Criteria from different tag sets or saved filters are interpreted using an AND

operator. For example, if you select Location:Portland, Location:Seattle, and Owner:Bob, the Asset List displays all assets that Bob owns and that are in either Portland or Seattle. Any filters that have been applied will be listed at the top of the Asset Filter pane. You can clear individual filters by clicking on the “X” next to the item, or you can click the “Clear all” button to clear all filters. TIP: You can save your current combination of filters by clicking on the “Save current filter” button at the top of the Asset Filter pane.


4.3 Viewing and Selecting Assets

To view the properties of an asset:

1. (Optional) Use the Asset Filter to refine the list of assets in the Asset List.

2. Click on the asset in the Asset List (do not select the checkbox). The asset’s properties are

displayed in the Selection Information pane. If there are any errors associated with the asset,

they will appear near the bottom of the Selection Information pane as well.

To select an asset:


2. Mark the checkbox adjacent to an asset in the Asset List. Alternatively, you could use the “All” or

“None” buttons near the top of the Asset List to select all or none of the assets, respectively. As

you select each asset, it is listed in the Selection Information pane. If you want to remove an

asset from the current selection, click on the “X” next to it. To remove all assets from the

current selection, click on the “Clear” button at the top of the Selection Information pane to

clear all selected assets.


4.4 Manually Applying Tags to Assets


2. In the Asset List, select any assets whose tags you want to edit.

3. Click Edit Tags in the Selection Information pane to open the Tags Drawer.

4. In the Tags Drawer, expand and select or clear the tags that are applied to the asset(s). A

marked checkbox means the tag is applied to all of the selected assets. An empty checkbox

means the tag is not applied to any of the selected assets. A filled checkbox means the tag is

applied to some of the selected assets.

5. Click Close to apply your changes and close the Tags Drawer.


4.5 Working with Tags and Tag Sets

Tags are descriptors that you can create and assign to your assets. You can assign as many tags to an asset as you like and you can always rename or delete the tags later (except for system or operational tag sets). Tags are organized using Tag Sets, which group a set of related tags. For example, a tag set named Location could include the tags Portland, Chicago, and New York. These tags would be represented in TE as Location:Portland, Location:Chicago, and Location:New York. Tripwire Enterprise includes a number of System Tag Sets, pre-defined tag sets that organize your assets based on operating system, device type, or other criteria. These tags are automatically assigned to assets when you add them to TE. You can't edit or delete system tag sets or apply them to assets. You will also see Operational Tag Sets, which help you manage the health of your assets by identifying errors. Operational tags are automatically applied to assets when an error is encountered. Assets are untagged automatically when the cause of the error is resolved for all tags except for the

Uncategorized Errors tag. In those cases, it is necessary to manually dismiss Uncategorized Errors for the tag to be removed. In general, you are able to manually dismiss any of the errors at any time. Asset View allows you to create user-defined tags and tag sets to organize and characterize your assets, giving you flexibility and control to place your assets into logical groups. For each tag and tag set you create, a corresponding smart node group will be created in the Nodes tab. As soon as an asset is assigned a tag, it will automatically be placed in the tag’s corresponding smart node group. You can use this smart node group to view nodes, scope tasks, scope policies, and much more, just as you can with a regular node group. You have full control over user-defined tags and tag sets, so you can add, remove, and edit them as necessary. To manage tags and tag sets:

1. Navigate to the Nodes Manager and select the Asset View tab.

2. Click on Manage Tagging in the upper left corner.

3. In the left pane of the resulting window, select Tag Sets.

a. To add a tag set: enter a name for the new tag set and click Add.

b. To rename a tag set: click the set’s name, then edit it and click Enter.

c. To delete a tag set: click on the “X” adjacent to the tag set. Review the system objects

associated with the tag set and then click Yes to confirm deletion.

4. To manage the tags in a tag set, expand the desired tag set to view the tags it contains.

a. To add a tag: enter a name for the new tag and click Add.

b. To rename a tag: click the tag’s name, then edit it and click Enter.

c. To delete a tag: click on the “X” adjacent to the tag. Review the system objects

associated with the tag and then click Yes to confirm deletion.

5. Click Filter Assets to return to the main Asset View page.


4.6 Working with Saved Filters

Saved filters are defined collections of tags that you can use to classify sets of assets. For example, you could create a saved filter named “Portland Win2K3 PCI” that includes any asset with the following combination of tags:

Location:Portland

Operating System:Windows 2003 Server

Policy:PCI

To manage saved filters:



3. In the left pane of the resulting window, select Saved Filters.

a. To add a saved filter:

i. Click New Saved Filter.

ii. Enter a name for the new saved filter.

iii. (Optional) specify a keyword and/or tags that the filter will use to select assets.

iv. Click Save to create the new saved filter.

b. To edit an existing saved filter: select the saved filter and click Edit Saved Filter.

c. To delete a saved filter: select the saved filter and click Delete Saved Filter. Review the

system objects associated with the saved filter and then click Yes to confirm deletion.



4.7 Working with Tagging Profiles

Tagging profiles allow you to configure TE to apply additional tags to assets with specific characteristics. For example, you could create a profile to assign the tag Owner:Windows Admin to all Windows assets. Or you could assign Dept:Finance to all assets with "finance" in their hostname that are also within a specific IP address range. Tagging profiles enable you to apply tags to a large number of assets quickly and precisely, and to ensure that new assets are tagged properly. Tagging profiles can apply tags automatically when new assets are added to TE, or you can run them manually to quickly apply tags to existing assets in TE. To manage tagging profiles:



3. In the left pane of the resulting window, select Tagging Profiles.

a. To add a tagging profile:

i. Click New profile.

ii. Enter a name for the new tagging profile.

iii. Specify whether you will run the profile manually or automatically.

iv. In the Choose Conditions section, specify the conditions the profile will use to

select assets.

v. In the Choose Tags to Apply section, specify the tags that the profile will assign

to the selected assets.

vi. Click Save to create the new profile. If you chose to run the profile

automatically, TE will run the profile immediately.

b. To manually run an existing tagging profile: select the profile and click Run Profile

Now.

c. To edit an existing tagging profile: select the profile and click Edit Profile.

d. To delete a tagging profile: select the profile and click Delete Profile.


TIP: In the Choose Conditions section, you can use the “Matches” and “Does Not Match” selectors to select assets using regular expressions. The “Contains” and “Dos Not Contain” selectors use case-insensitive matching. TIP: In the Choose Conditions section, you can use the match “All” or “Any” dropdown at the top to

determine if your multiple conditions should be evaluated with an “AND” or “OR” operator,

respectively.


5 STANDARD OPERATIONS

5.1 Create a Group

Each of the managers (excluding the Home Page, Log, and Settings Managers) use groups to organize

objects. Each manager has its own group object(s):

Manager Group Object(s)

Node Node Group

Smart Node Group

Rule Rule Group

Action Action Group

Task Task Group

Policy Policy Test Group

Report Report Group

You are able to create groups within the “Root Group” of each manager or within other groups (also

called “sub-groups”). The Node Manager is unique in that it has two types of groups: node groups and

smart node groups.

The process of creating groups is the same for each of these managers:

1. Select the location you would like to create the new group within (either the “Root Group” or

another group).

2. Click on the New Group button under the Manage button set on the button bar.

3. Specify a group name and (optional) description in the resulting dialog window.

4. Click Finish to create the group.


5.1.1 Node Groups

Node groups (also called “classic” node groups) are primarily a legacy feature. They are static groups

designed to hold a group of nodes that have been manually placed in this group. You are also able to

create groups inside of an existing classic node group. Classic node groups are identified by a folder icon

in the Tree Pane of the Nodes Manager.

5.1.2 Smart Node Groups

Smart node groups, conversely, are dynamic groups whose “children” nodes are automatically

populated based upon specific properties or user defined profiles configured in Asset View. Smart node

groups are identified by a lightbulb icon in the Tree Pane of the Nodes Manager.

Users are unable to create smart node groups as these groups are managed through Asset View. Using

Asset View is the only way to create, delete, or rename these smart node groups. Creating a new tag or

tag set in Asset View, for example, would create a corresponding smart node group in the Node


Manager. This means you are unable to create groups inside of a smart node group, and move, link, or

import smart node groups.


5.2 Create an Object

Each of the managers (excluding the Home Page, Log, and Settings Managers) control and manage

specific objects. Each manager has its own object(s) which can have different types:

Manager Object

Node Node

Rule Rule

Action Action

Task Task

Policy Policy Test

Policy

Report Report

Dashboard

You are able to create objects within the “Root Group” of each manager or within other groups. The

Policy and Report Managers are unique in that they each have two types of objects that they manage. In

the Policy Manager you can create both policy tests and policies. In the Report Manager you can create

both reports and dashboards.

The process of creating new objects is essentially the same for each of these managers:

1. Navigate to the desired manager for the object you would like to create.

2. Select the location you would like to create the new group within (either the “Root Group” or

another group).

3. Click on the New <Object Name> button under the Manage button set on the button bar (where

“<object name>” is one of the objects from the above table).

4. (If applicable) Select the type of object to create in the resulting dialog window.

5. Complete the New <Object Name> Wizard with your desired settings.

6. Click Finish to create the node.


5.2.1 Create a Rule

To create a rule, follow the same process explained above for creating new objects, but do so within the

Rule Manager. Below are some helpful tips to consider when creating rules:

Place newly created rules within a meaningful group structure as you will need to scope check

tasks to these groups, among other operations.

After selecting the type of rule to create, you will have an opportunity to provide a name and

description for the rule. You will also notice a checkbox called “Enable Tracking Identifier”. Keep

this checkbox selected if you would like the rule to have a unique identifier to track it between

different TE installations or import/export processes. In most cases, you will want to keep this

checkbox selected.

For certain rule types (such file system rules), you will need to specify start and/or stop points

for the rule. You will also see a “Browse” button that you can use to browse the file system of an

Agent host.


To do so you will need to click the “Select Node” button and navigate to the host you would like

to browse. Then click OK.


Browse the file system until you identify a location/path you would like to create a start or stop

point for. Your selection will appear in the “Selected path” field. Click the New Start Point or

New Stop Point buttons, respectively. Then complete the start/stop point wizard with your

desired settings.

Start Point Tips

o It is far better to have a start point that you have “drilled down” to (start small) and

then modify the start point or rule later than it is to start at the top of a file path tree. If

you do the latter, you may end up with hundreds of thousands of elements that are not

critical to the execution of the application or system you are monitoring. You must then

pare down the start point or rule and then find and delete all the elements that will no

longer be monitored. Otherwise these elements become “orphans” that uselessly

clutter your database and result in audit event error messages in your Log Manager.

o Reset the “Default Severity” level from the default of 10000 to a level that either reflects

the criticality of changes to this element or matches with a defined severity range you

have. Doing the latter allows you to generate reports that target a specific severity

range and only include changes from the corresponding rules with that severity level.

o Do not set a default severity of zero. Changes to elements associated to a rule with a

severity of zero will never reflect a change. New element versions will still be collected,

however, contributing to unpromoted changes to that element.

o Mark the “Archive element content” checkbox if the file or files in the directory path of

the start point are primarily test files or you have a specific need to monitor the content


of text files in the path. Otherwise, leave it blank. TE will not archive the content of

binary or encrypted files. Use caution if you have a directory that contains a large

number of text files as monitoring such a path can consume a lot of database space,

especially if the file content changes frequently.

o Keep the “Recurse directory” checkbox selected unless the start point is for a specific

file versus an entire directory.

o Change the “Limit depth to” field to a value other than zero only if you want to limit the

depth of your recursive monitoring. (A value of zero instructs TE to monitor from the

start point path to the bottom of the path’s directory structure.) For example, if you

want to monitor files one level down from a start point path, change the value to 1.

o When selecting your criteria set, keep in mind that “content” refers to monitoring

content hashes and/or file size. It does not archive the file content as the previously

mentioned “archive element content” option does. If none of the built-in criteria sets

meets your needs, you can create a new one. To simplify the process, you can also

create a new criteria set based upon an existing one. Simply use the “New from

Selected” button. You can click on any of the pre-defined criteria to see what actual

attribute data a given set captures. Leaving “package data” collection unchecked in a

new (or existing) criteria set will cause TE to “skip” any locked attributes silently instead

of reporting an inability to capture information when another process has an exclusive

lock on the file.


o You can use the include or exclude filters to have more granular control over which files

TE will monitor in a particular start point. Element filters apply to the full recursion

depth specified in the start point. Configuring an include filter will cause TE to only

monitor files that match the filter. Everything else will be excluded. Configuring an

exclude filter will cause TE to monitor all files in the start point path except for those

that match the filter. If you want to only monitor directories, use an exclude filter of “*”

to match all files.

Use stop points to exclude monitoring of and stop recursion of specific paths. You can also use

stop points to exclude monitoring of a specific file. Common paths to be excluded include data

or log directories.


5.2.2 Create a Task

To create a task, follow the same process explained above for creating new objects, but do so within the

Task Manager. Below are some helpful tips to consider when creating tasks:

Completing the Fast Track process will generate many initial tasks for you. However, you will

often need to adjust the imported tasks or add more to have greater granularity and control

over the configuration.

When naming tasks, it is best practice to be as descriptive as possible. A great strategy is to

include the type of task followed by the scheduled frequency, scoped nodes, and scoped rules.

An example is “OS - Daily - Windows 2008 R2 Node(s) with Windows 2008 R2 Change Audit

Rules”.

You can create a baseline check task to automate the baseline process, but it is often more

helpful to simply use a check task to perform the initial baseline operation. When you create a

new check task, the final page of the wizard will provide you with an opportunity to “initialize

baselines” upon creation of the check task. Furthermore, you can select a given check task and

click on the Baseline button from the button bar.


The “Run as user” field determines which user context the task is run in. If a user has restricted

access to nodes and/or rules, this can cause the task to fail. It is recommended that tasks are

created by a user with the “Administrator” role so the task can run as the “system” user.

It is best practice to always set timeouts for check tasks. This ensures that the check task will be

stopped if the operation is taking too long. Set a timeout for the shortest time you feel

comfortable with (usually 1 hour is sufficient). As more nodes are added (or if you notice a check

task has timed out), you can extend the timeout value.

When scoping tasks to node and rule groups, be sure that you are selecting the correct node

group for the rules you plan to run the task against. If there is a mismatch, you run the risk of

checking incorrect elements against nodes or not getting report results you export.

When configuring the check interval, “daily” means every day of the week whereas “weekly”

allows you to select which days in a week to execute the task. In situations where maintenance

windows or backup schedules come into play, using weekly will provide you with greater

flexibility.


Keep in mind that tasks run according to the time of the TE Console server. If the target node or

node group is in another time zone, you should take this into consideration when selecting the

task run time(s).

Be sure to apply appropriate actions to the task. Commonly applied actions (or action groups)

include BAU promotion workflows, alert actions (like email or syslog actions), or run report

actions. Keep in mind you can apply more than one action to a task.

5.2.3 Create an Action

To create an action, follow the same process explained above for creating new objects, but do so within

the Action Manager. Below are some helpful tips to consider when creating actions:

Actions will only execute in response to an element change. Keep that in mind when creating

and using them.

Use the true and false settings of conditional actions to create a sophisticated action workflow.

When multiple actions are located in a group, the ordinal value determines the order they are

executed in. Mark the checkbox of an action in a group and use the “Move Ahead” and “Move

Back” buttons to adjust its placement in the order.

Actions can be applied to rules and/or tasks, giving you flexibility to execute actions for different

situations.

5.2.4 Create a Report

To create a report, follow the same process explained above for creating new objects, but do so within

the Rule Manager. Below are some helpful tips to consider when creating reports:

It is recommended that you use a specific report group for storing reports that you create or run

on an irregular basis (such as “one-off” reports). You can create your own group(s) or use the

“Ad-hoc” group.


When creating reports, you will use the Criteria tab of the report’s property editor to configure

specific parameters for the report. You can choose to report on specific rules, nodes, versions,

and many other options. The parameters available depend upon the report type you choose.

Reports offer the ability to link to other reports. This allows you to have a higher-level, summary

report with interactive (clickable) links that then generate more detailed reports. By default you

should have “drill down” report templates installed. When creating new reports, simply link to

these “drill down” report templates using the “Links” section of the Criteria tab of a reports

property editor. Alternatively, you can create your own report templates to link to. You can

select a single report or group for each available report link. If you select a group, the user will

be presented with a dialog from which to choose the linked report they would like to run.

After running a report, you can choose to export, email, or even archive the report as a means

to “save” the report. Archiving the report will store the results in the TE back-end database.

Simply click the “Archive Report” button. Keep in mind that exporting, emailing, or archiving

reports will not include any linking or “drill down” functionality.

For timely attention to changes detected or compliance results, it is recommended that you

create scheduled reports. Create and organize your reports according to the type of report


(change audit versus compliance, for example) and frequency (daily, weekly, monthly, quarterly,

ad-hoc, etc.). Then create a report task in the Task Manager and select the corresponding

report.


5.3 Move an Object


specific objects. Once an object exists in a manager, you are able to move the object to a different

group to keep things organized.

NOTE: You can only move objects into either the “Root Group” or other standard groups. For example,

you cannot move a node object into a smart node group as smart node groups are managed using Asset

View.

The process of moving objects is essentially the same for each of these managers:

1. Select the parent group of the object you would like to move in the Tree Pane.

2. Select the checkbox that corresponds to the object you would like to move in the Main Pane.

3. Click on the Move button under the Manage button set on the button bar.

4. In the resulting dialog window select the group you intend to move the object into. The group

name will appear in the Destination field.

5. Click OK to move the object.


5.4 Link/Unlink an Object


specific objects. Objects can exist in one group or many. When objects are located in many groups, they

are said to be “linked” in multiple locations. In other words, a single object is referenced in several

groups. If you were to edit this object in one location, your changes would be reflected across the other

references to this object.

NOTE: The process of moving an object is similar to linking. When an object is moved, a link to the

object is created at the new location and the link at the old location is deleted.

NOTE: You can only link objects into either the “Root Group” or other standard groups. For example,

you cannot link a node object into a smart node group as smart node groups are managed using Asset

View.

The process of linking objects is essentially the same for each of these managers:

1. Select the parent group of the object you would like to link in the Tree Pane.

2. Select the checkbox that corresponds to the object you would like to link in the Main Pane.

3. Click on the Link button under the Manage button set on the button bar.

4. In the resulting dialog window select the group you intend to link the object to. The group name

will appear in the Destination field.

5. Click OK to link the object.

The process of unlinking objects is nearly identical to linking them:

1. Select the parent group of the object you would like to unlink in the Tree Pane.

2. Select the checkbox that corresponds to the object you would like to unlink in the Main Pane.

3. Click on the Unlink button under the Manage button set on the button bar.

4. In the resulting dialog window select the group you intend to unlink the object to. The group

name will appear in the Destination field.

5. Click OK to unlink the object.

If you unlink an object from all of its linked locations, the object will be moved to the special Unlinked

group of the current manager. See Delete an Object for more information.


5.4.1 Link a Node

To link a node, follow the same process explained above for linking objects, but do so within the Node

Manager. Linking nodes is primarily a legacy operation as using smart node groups is the default feature.

Use Asset View to organize your nodes and tag them appropriately. Doing so will create new smart node

groups that will automatically link nodes as they are tagged and placed in your configured tag sets.


5.5 Delete an Object


specific objects. Just like you can create objects, you can also delete them. Deleting objects purges

them from the database.

NOTE: The process of deleting an object is similar to unlinking. When an object is deleted, all links to the

object are removed.

There are slight differences between deleting groups and deleting objects. If you delete a group, all

descendant objects (the “children”) will be placed in the special Unlinked group of the current manager.

Think of the Unlinked group as analogous to an operating system’s trash or recycle bin. The objects in

the Unlinked group will remain in this special group until the Clear Unlinked Groups task runs, which

may be started at the time of deletion. Regardless, as soon as this maintenance task starts the objects

will be purged from the database irreparably. If you delete an object, it will be purged from database

irreparably at that time of deletion.

NOTE: If you delete an object from the Unlinked group, it will be purged from the database irreparably

at that time of deletion.

The process of deleting objects is essentially the same for each of these managers:

1. Select the parent group of the object you would like to delete in the Tree Pane.

2. Select the checkbox that corresponds to the object you would like to delete in the Main Pane.

3. Click on the Delete button under the Manage button set on the button bar.

4. In the resulting dialog window you may choose to run the Clear Unlinked Groups task or not.

5. Click OK to delete the object.

5.5.1 Delete a Node

If the data pertaining to the node is not required for future audits or historical purposes, you may simply

delete it. Follow the process below to remove a node:

1. If you are deleting a file system node, you will want to have a system administrator uninstall the

TE Agent installed on that system. Otherwise future restarts of the Agent service will recreate

the node in the Console.

2. If desired, the system administrator can delete the installation path for the Agent after

uninstalling it (by default there are certain configuration files left behind in case the Agent

uninstallation was a mistake).

3. Once you are ready to delete the node, follow the same steps explained above for deleting

objects.


NOTE: Deleting a node will remove all licenses assigned to it. Additionally, certain objects, such as tasks

or actions, associated to the node will be deleted along with the node.


5.6 Import/Export an Object


specific objects. TE provides a feature an import and export feature for each of these objects. This

allows previously configured objects to be exported as is or imported to create identically copies to the

original configuration. Importing/exporting are beneficial to create backups of managers, aid in the

management of content between multiple Consoles, and also to provide a mechanism to upgrade TE

content as Tripwire publishes updates.

The process of exporting objects is the same for each of these managers:

1. Select the parent group of the object you would like to export in the Tree Pane.

2. Select the checkbox that corresponds to the object you would like to export in the Main Pane.

3. Click on the Export button under the Manage button set on the button bar.

4. In the resulting dialog window, choose to export “All nodes and node groups” or “Selected

nodes and node groups only”. Choosing the latter will only export the objects you have selected

from the Main Pane.

5. Click OK to export the object.

6. Save the resulting XML file.

The process of importing objects is the same for each of these managers:

1. Select the parent group in which you would like to import new objects from the Tree Pane.

2. Click on the Import button under the Manage button set on the button bar.

3. In the resulting dialog window, click the “Browse” button and navigate to the location of the

import XML file.

4. Click OK to import the new object(s).

NOTE: Upon import, TE will attempt to link existing objects to new objects using the following criteria:

Using the unique tracking ID of the object

By matching objects of the same name (and type)

NOTE: When importing content published by Tripwire, always import into the “Root Group” of the

manager. Otherwise you end up creating duplicate groups in alternate locations which creates

unnecessary links and complicates future imports.

TIP: When importing updated rules/policies published by Tripwire, it is best practice to update all of

your rules and policies at the same time.


NOTE: When importing policies, you must import the policy rules into the Rule Manager first before

importing policies into the Policy Manager.

NOTE: When importing content published by Tripwire, any custom modifications you have made to

Tripwire published rules will be overwritten by the newly imported content.

NOTE: If you attempt to import the wrong import file into a manager, you will receive an error.


5.7 Baseline a Node

Beginning with TE version 8.1, creating an initial baseline of a node is now an unnecessary step. TE will

automatically generate baseline element versions for any rule running against a node that has not been

previously baselined. However, there may be some instances in which you wish to baseline a node

outside of the first check.

1. Select the parent group of the node you would like to baseline in the Tree Pane.

2. Select the checkbox that corresponds to the node you would like to baseline in the Main Pane.

3. Click on the Baseline button under the Control button set on the button bar.

4. In the resulting dialog window:

5. (Not available to nodes with 0 elements) Select the first “Baseline” radio button to baseline the

node with all currently baselined rules (essentially re-baselining the node, depending upon the

selection in steps c/d below).

6. Select the second “Baseline” radio button to baseline the node with a specific rule or rule group.

Navigate to your desired rule or rule group and click it from the dialog window Tree Pane. Your

current selection will appear in the “Rule” field.

7. Select the first “Create baselines for” radio button to only create baselines for rules that have

not been previously baselined.

8. Select the second “Create baselines for” radio button to create baselines for all rules selected

above (this may result in some elements being re-baselined as well as baselining new rules).


9. Click OK to baseline the node.

Once a node has been baselined, it should only be checked from then on. The exceptions to this are if

you have modified any of the rules previously baselined against it (such as by importing an updated

rule), or if you have created a new rule that you would like to baseline against the node.


5.8 Check a Node

Performing a check of a node is the heart of TE’s monitoring. TE uses checks to assess if a monitored

element has changed in any fashion. The best approach to configuring checks is to use scheduled check

tasks. However, there may be times when you have a need to manually check a node. For example, you

may want to run a manual check to have the latest possible version of a monitored element, or you have

want to gather any audit events held in the Agent’s queue (for nodes that support the TE Event

Generator).

1. Select the parent group of the node you would like to check in the Tree Pane.

2. Select the checkbox that corresponds to the node you would like to check in the Main Pane.

3. Click on the Check button under the Control button set on the button bar.


5. (Not available to nodes with 0 elements) Select the first “Perform check on” radio button to

check the node with all currently baselined rules.

6. Select the second “Perform check on” radio button to check the node with a specific rule or rule

group. Navigate to your desired rule or rule group and click it from the dialog window Tree

Pane. Your current selection will appear in the “Rule” field.

7. Click OK to check the node.


5.9 Viewing Changes

When TE detects a change to a monitored element, a visual indicator called the severity indicator

appears on the node icon. This indicator takes the form of a colored dot. The color is configured on the

Settings Manager > System > Severity Ranges page. To view the specific element with changes:

1. Navigate to the rule associated with the element in the Tree Pane. You can do so by expanding

the node and/or rule groups with the same colored severity indicator.

2. Select the rule resulting from step 1 in the Tree Pane.

3. Elements will changes should appear at the top of the Main Pane by default. They will have a

colored plus, minus, or exclamation point symbol on the element icon. The Main Pane will show

you the element name, current version, and version type. If you do not see any elements with

changes, sort by the severity.

4. If you would like to compare the current version with the most recent baseline version, click on

the version type link. This will open the Difference Viewer in a new window.

The Difference Viewer compares the current element version with the most recent baseline element

version in a side-by-side view. Tabs at the top of the Difference Viewer allow you to switch between

comparing the element content (if available) and the monitored attributes. Differences are shown in

either: red (change/modification), green (insertion/addition) or blue (deletion).


5.10 Promoting Changes

A critical component of using TE is promoting changes. By default, TE assumes all changes are

unauthorized. When changes are detected, they are made available for viewing in the UI as well as

through reports and alerts. It is vital that you evaluate a change and determine if the change was

authorized or unauthorized. The act of promoting a change informs TE that the target change was an

authorized change. TE then takes the change version that has been promoted and uses it for the new

baseline version. Future checks will then look for differences between this new baseline version and

what is currently monitored.

To evaluate if a change is authorized or unauthorized, use these questions as guidance:

1. Is the change known, expected, and approved?

2. Is the change unexpected but still appropriate?

3. Is this a system or application induced change?

4. Is the change both unexpected and inappropriate?

Mature organizations will usually have a maintenance/change schedule during which change is expected

to occur. Even if they do not have defined change windows, mature organizations have strict change

management guidelines to provide visibility into and approval for any changes that occur. When change

management evaluates a change for impact and deems it approved, the change can then be scheduled

and implemented. Changes following this process should be promoted within TE.

There are times when changes may not have been approved by change management prior to

implementation, due to process negligence, or because they were not expected. If the change is

appropriate, it should be promoted within TE. An example would be the installation of a utility that

supports a critical business application. If the lack of a change request was due to process negligence,

this would be a good opportunity to educate personnel on the change management process.

However, if the change is not appropriate, it should not be promoted within TE. Examples include a

missing file or the presence of an unexpected file. Instead, the TE administrator along with application

and/or system administrators should investigate the change and revert the system to its previous

condition. Once the resolution has been detected as a new change by TE, then a promotion should be

performed to close the loop.

For changes that are unexpected but due to a system/application process, it would be wise to configure

a forensic or BAU action workflow to promote the change. Once that workflow is configured, it would be

necessary to promote the initial change.

To assist in the decision-making process, it is helpful to review what specifically was modified, added, or

removed from a monitored system. See Viewing Changes for more information on identifying and


viewing changes within the Console UI. When you are in the Node Manager or on the Elements tab of a

node’s Property Editor, the Version Type column will very clearly inform you of the type of change that

occurred for a given element. Use the Difference Viewer, element properties, and version information to

investigate the change.

Once you have concluded your investigation and decided a promotion is warranted, you are ready to

promote to the affected elements.

1. Navigate to the Node Manager.

2. You can either navigate to the affected elements within the Node Manager, from the Elements

tab of the node’s Property Editor, using the results of an Element Search, using the results of a

Version Search, or by switching to “Elements View” when looking at certain changed elements

reports.

3. Mark the checkbox next to each element or element version you would like to promote. Click on

the Promote button from the button bar (under the Control button set in the Node Manager).

4. In the resulting dialog window, you may see more than one promotion method available

depending upon the object you had selected. If you had selected an element version, however,

you should only see the “Promote selected versions” method. Select this method and click OK.


5. In the resulting dialog window, select the “Custom” radio button if you want to manually specify

the promotion comment and approval identifier. If you have previously created a promotion

approval template, you can choose the “From template” radio button and select your desired

template.

6. Complete and/or edit the promotion comment and approval identifier fields. If you would like to

use your comment and approval identifier as a future approval template, click the “Save as

Template” button.

7. Click Next >.


8. Finally, unless you intend to use a “package” in your promotion action, click Finish. Your

selected elements/versions will now be promoted.


5.11 Viewing Reports and Dashboards

Reports and dashboards can be viewed in several ways:

Click on the Run Report button next to a report or dashboard in the Report Manager or Reports

widget on the Home Page Manager.

Emailed either manually after running a report or through a report task.

Graphical reports configured within a dashboard can be viewed on the home page they were

added to once they have fully loaded. Clicking on the graph will load the full report for viewing.


NOTE: It can take dashboards some time to load and display. Keep this in mind when configuring the

scope of the dashboard reports.


6 NODE OPERATIONS

6.1 Onboarding Agent Nodes

6.1.1 With Smart Node Groups Enabled

Onboarding of new nodes is largely handled automatically by TE. With Smart Node Groups enabled, new

nodes are dynamically tagged with System Tags, organizing them by platform. When additional Tagging

Profiles have been configured, nodes can be automatically tagged using a variety of properties.

6.1.2 Without Smart Node Groups Enabled (Legacy Feature)

If Smart Node Groups are disabled, however, this automatic tagging does not occur. Newly installed

Agents create a new node that appears in the special “Discovered” node group of the Node Manager.

This node group is located underneath the Root Node Group and is one of the last items in the Tree

Pane.

It is necessary to move newly discovered nodes into a node group to appropriately configure them for

monitoring. Often these node groups organize nodes by platform and other properties. To do so, we’ll

use the standard operation to move the node(s):

1. Once a node has appeared in the Discovered node group, select the node’s checkbox and click

the Move button.

2. The following dialog window displays. Select the group you intend to move the node into. The

group name will appear in the Destination field.


3. Click OK to move the node.


6.2 Event Generator and Enable Real-time Monitoring

The standard configuration of TE results in monitoring at regular intervals through the use of scheduled

check tasks. However, TE also supports a feature called “Real-time Monitoring” (RTM). As the name

implies, this feature provides notification of changes on a near real-time. This is accomplished by

hooking into the operating system’s kernel or audit system and looking for relevant changes to

monitored file system or registry objects. The added bonus of this feature is that TE has access to

additional information about the change, such as the username of the user responsible for the change

(“who” data).

When a TE Agent is installed, the default installation will also install a separate component, called the TE

Event Generator. This component is what performs the hook and generates the audit event information

for the Agent. When a change occurs, the Event Generator generates an audit event which is sent to the

Agent. If audit event collection is configured for a node, the Agent sends this audit event information

back to the Console when the next scheduled check task is run. If Real-time Monitoring is enabled,

however, the Agent will initiate a check against the changed object as soon as it receives the audit event

from the Event Generator. This results in timely notification of changes as well as comprehensive history

of changes to an object (instead of change information being restricted to the most recent change that

occurred to the object when a check task is performed).

Agentless nodes such as database or directory servers have limited support for audit event collection.

The process of collecting this information is different from Agent-based nodes as there is no Event

Generator. Instead, TE will pull the audit event information from the application’s event or audit logs to

correlate with the change.

There are two methods to configure audit event collection and/or Real-time Monitoring: single-node

basis or in bulk.

6.2.1 Configure on a Single-node Basis

1. Select the parent group of the node you would like to configure in the Tree Pane.

2. Click on the name link of the node you would like to configure to open its Property Editor.

3. In the resulting Property Editor window, click on the Events tab.

4. On the Events tab, select the opens you desire.

a. To configure audit event collection, mark the “Collect audit-event information”

checkbox. If present, select either “Operating system audit log” or “TE event generator”

in the Event source dropdown.

b. To configure Real-time Monitoring, mark the “Collect audit-event information”

checkbox. Next, select “TE event generator” in the Event source dropdown. Then mark

the “Enable real-time monitoring” checkbox.

5. Click OK to save the configuration.


6. Ensure that you have baselined rules against the node that have RTM enabled as well. See

Configure Real-time Monitoring for Rules for more information.

6.2.2 Configure in Bulk

1. Select the parent group of the nodes you would like to configure in the Tree Pane.

2. Mark the checkboxes that correspond to the nodes you would like to configure in the Main

Pane.

3. Click on the Events button under the Modify button set on the button bar.

4. In the resulting dialog window, select the opens you desire.

5. On the Events tab, select the opens you desire.

a. To configure audit event collection, mark the “Collect audit-event information”

checkbox. Then select either “Operating system audit log” or “TE event generator” in

the Event source dropdown.

b. To configure Real-time Monitoring, mark the “Collect audit-event information”

checkbox. Next, select “TE event generator” in the Event source dropdown. Then mark

the “Enable real-time monitoring” checkbox.


7. Ensure that you have baselined rules against the node that have RTM enabled as well. See

Configure Real-time Monitoring for Rules for more information.

NOTE: Configuring in bulk will not inform you of any nodes that do not support the Event Generator.


6.3 Create a Custom Node Type

In some cases, you will have devices you need to monitor for which TE has no default, built-in node type.

In these cases, you will want to create a custom node type from which you can create custom nodes

that identify as your new type.

1. Navigate to Settings Manager > Monitoring > Custom Node Types.

2. Click on the New Custom Node Type button.

3. Specify a custom node type name and (optional) description in the resulting dialog window.

4. Click Finish to create the custom node type.

This custom node type will now appear in your list of custom node types. Additionally, it will appear as

an available option under “Custom” when creating a new Network Device node.


6.4 Create the Custom Node

To create a custom node, follow the same process explained above for creating new objects, but do so

within the Node Manager. Below are some helpful tips to consider when creating custom nodes:

1. When selecting the type of node to create, navigate to Network Device > Custom and select the

custom node type you previously configured.

2. When naming custom nodes, be sure to use an IP address or resolvable fully qualified domain

name (FQDN) for the system you would like to monitor.


3. Select an appropriate communication method. It is recommended that you choose SSH as it will

encrypt your communication between the system and the TE Console. You will need to ensure

the specified ports are open between the TE Console host and the target system.

4. Select an appropriate transfer method. It is recommended that you choose SFTP or SCP as they

will encrypt your communication between the system and the TE Console. You will need to

ensure the specified ports are open between the TE Console host and the target system.

5. Select the appropriate SSH cipher type for the target system and the length of time before a

connection timeout occurs. If the system uses a paging function when viewing long outputs,

enter the pager prompt in the “Pager prompt” field. Add or remove checkmarks as appropriate

for the “Use DOS style line endings” and “Automatically append newlines” settings. You may

have to experiment with those last two options.


6. When specifying a username and password to authenticate on the target system as, you can

enter a value manually or specify a Global Variable to use. You can even create new Global

Variables from the custom node creation wizard. If you do create a new Global Variable for

either field, name each one something descriptive.

7. If the system you are authenticating to uses a unique log in or log out process, configure the log

in and log out scripts on the respective wizard pages. Click the Add Condition button and specify

a prompt-response pair for each step of the interactive log in or log out process.


8. When entering version information, you can choose to enter static values or use regex to

capture parts from the output of a command string that you specify. Using the latter option will

provide you with more flexibility if you craft the regex in a reusable way. You can use the

contextual “Help” link for an example usage.

9. Use the Test Login button to validate your credentials and log in/log out scripts.

10. You will want to create custom command output validation rules (COVR) to monitor these

custom nodes. Once your custom node is created, you can baseline the COVR’s against it.


6.5 Unlicensing a Node

In some cases, you may need to decommission or otherwise take a node out of service. The best process

for doing so is to unlicense the node. This keeps the historical change data in the Console for later

review, but frees up those licenses for additional nodes you may want to monitor. While the node is

unlicensed, no checks or configuration can be performed against the node.

1. Select the parent group of the node you would like to unlicense in the Tree Pane.

2. Select the checkbox that corresponds to the node you would like to unlicense in the Main Pane.

3. Click on the Licenses button under the Modify button set on the button bar.

4. In the resulting dialog window, deselect all marked licenses assigned to the node.


5. Click OK to unlicense the node.

The node name will now include “(unlicensed)” to show that there are no assigned licenses.

Additionally, the node icon will be grayed out.

NOTE: You cannot unlicense the node that corresponds to the local Agent installed on the Console

Server host.


7 RULE OPERATIONS

7.1 Tune a Rule

As nodes are monitored for changes, there will situations in which you will need to optimize your rules:

For instance, there may be times when you notice “noise”. The term “noise” is applied to certain

elements that change frequently or for elements that are not critical to monitor. It is important

that rules are optimized to tune out this noise so that you are informed of critical changes.

The core OS rules that Tripwire publishes are intended to provide notification of system changes

that impact stability, security, and availability of the monitored system. These default rules have

been refined by Professional Services based upon extensive customer feedback and iterative

tuning on thousands of systems so that they represent “best practices” for OS monitoring. With

that said, these rules will not be a perfect fit for every customer. It will be necessary to make

minor adjustments to these rules to account for changes unique to each environment.

If you create custom application rules, it is critical that you perform rule tuning to appropriately

monitor your desired application with maximum efficiency.

In all of the above cases, rule tuning is necessary to prevent “noise” and optimize the rules. The essence

of rule tuning is to monitor what is important and exclude what is not. The following methods are

helpful when tuning rules:

Adjust the Criteria Set for an Element

o Adjusting the element’s criteria set is a common approach to rule tuning. It provides

flexibility to focus on specific attributes you want to monitor, whether that be

permissions, content, and/or timestamps. For example, if you notice an element’s

timestamps keeps being edited by the OS or an application process, it would be wise to

exclude that attribute from monitoring.

o The best way to implement this method is to create a new start point specifier for a sub-

directory or specific file that needs to have an adjusted criteria set. Applying the new

criteria set to the specifier at this level will ensure the adjustment only applies to this

subset of files/directories.

Limit Recursion on Directories

o When it is important to monitor a directory for existence/ownership but not its

contents, limiting the recursion can be a great tuning method. Examples of good

directories to apply this method to include temp, log, or debug directories.

Utilize Element Filters

o When directories are poorly organized, it can be helpful to only include files of a specific

type, or to exclude all but what you want to monitor. Both include and exclude filters

support wildcards. Just keep in mind that element filters only apply to discrete files and


not directories. Using element filters is best for dynamic/unreadable or temporary files.

Examples include excluding “pid”, “log”, and “tmp” files.

Utilize Stop Points

o Similar to the above method, it can be helpful to set stop points for particular

directories or files. Stop points are great to stop recursion or to exclude files that cannot

be read or tend to appear/disappear frequently.

Once you have applied tuning to a particular rule, you will want to continue to monitor the nodes and

check for any other tuning opportunities. If you excluded elements as part of the tuning process, you will

want to perform a series of element searches to find and delete the “orphaned” elements that are no

longer monitored. Otherwise they take up database space and contribute to audit events unnecessarily.


7.2 Configure Real-time Monitoring for Rules

Real-time Monitoring is a two-step process. It must be enabled at the node level as well as the rule level.

NOTE: Not all rule types support RTM.

To enable RTM at the rule level, perform the following steps:

1. Select the parent group of the rule you would like to configure in the Tree Pane.

2. Click on the name link of the rule you would like to configure to open its Property Editor.

3. In the resulting Property Editor window, click on the Real-time tab.

4. On the Real-time tab, mark the “Enable real-time monitoring” checkbox.



8 POLICY OPERATIONS

8.1 Using the Policy Manager

The Policy Manager allows a user to create, import, export, edit, duplicate, organize, and delete policies,

policy tests, or policy groups. Users can also promote, execute, and waive policies. A policy measures

the degree to which configurations of monitored systems are in compliance with an industry or

corporate standard. A policy test determines if a monitored system complies with a specific requirement

of a policy. TE ships with three policy test types: content, attribute, and Windows ACL tests. The Policy

Manager allows you to create custom policies/policy tests or to import and use policies published by

Tripwire (based upon well-established standards such as CIS, PCI, SOX, NIST, DISA, etc.).

The following are some recommendations to consider when using the Policy Manager:

It is best to only import the policies that you really need. Importing policies for platforms you do

not support or for standards you do not need to be compliant with unnecessarily decreases

manageability, consumes database space, and requires additional processing.

To perform operations on policy, policy test, or policy test group objects, you need to have the

“Tests” tab selected on the Main Pane. If “Compliance” is selected, the buttons in the button bar

will be inactive.

After importing new policies, be sure to scope the policies to only the nodes that the policy

applies to. Scoping the wrong nodes (or none at all) will affect the results you get and likely lead

to confusion. Then baseline the nodes with the policy rules to kick off the policy test workflow.

Always import the policy rule XML files into the Root Rule Group of the Rule Manager prior to

importing the policy test XML files into the Root Policy Test Group of the Policy Manager. Failing

to do so will result in an error upon import of the policy test XML file. When viewing the

extracted files you downloaded from the Tripwire Customer Center, look for “Policy_Rules” in

the filename to distinguish the policy rules XML file(s) from the others. The policy test XML file(s)

will have a filename that begins with the name of the standard, such as PCI or CIS.


When viewing compliance results using the “Compliance” tab, it is helpful to only show results

for nodes scoped by the policy you have selected. To do so, enable the filter by clicking on the

link in the lower-right corner and checking the box to enable it.

By default, any policy score less than 100% is considered “failing”. If you would like to configure

different scoring thresholds to represent different “tiers” or “steps”on the progress to

compliance, you can configure them on the policy’s property editor.

To view the specific pass/fail results for a specific policy test, drill down to the desired policy test

using the Tree Pane, select the policy test, and view the results in the “Compliance” tab of the

Main Pane.


Each test is reported individually, both graphically and through text to reflect the current test

results. The test is identified in the upper right section of the Main pane.

When you observe a failed policy test, you will need to remediate the issue on the host in order

to pass the test. Viewing the “Remediation” tab of a policy test’s property editor will show you

instructions you can follow to remediate the issue. You can also see this remediation text on

certain reports, such as the Detailed Test Results report (when the “Show Remediation” option

is selected). Once the remediation has been performed, you will need to perform a check of the

node to check for the configuration change. If the remediation has been properly implemented,

you should then see a passing result. Keep in mind that policy tests are like actions in that they

will only be executed when there is a change in the associated element they are scoped to.

One of the best ways to view policy and policy test results is through reports. Be sure to try

various compliance-related reports to find the ones best suited to your desired output. There

are summary reports as well as detailed ones.


8.2 Creating a Policy Waiver

There may be situations in which your nodes will never be able to pass certain policy tests. It could be

that implementing the configuration change would break some business critical function, or perhaps the

policy test is outside of the scope of compliance required for your organization. Whatever the reason, TE

includes the ability to waive policy test results so that the result is not factored into the policy score.

1. Navigate to the Policy Manager and ensure you have the “Tests” tab in the Main Pane selected.

2. Navigate to the desired policy or policy test you want to apply the waiver to and mark its

checkbox.

3. Click on the New Waiver button from the button bar.

4. In the resulting dialog window, give the waiver a meaningful name. Make sure the correct policy

is selected from the “Policy” dropdown. Then enter the remaining information:

5. Granted by: enter the name of the person or group that granted the waiver, such as an auditor

or perhaps change management.

6. Responsible: enter the name of the person or group responsible for updating the node(s) to

meet compliance.

7. Description (optional): enter a meaningful description for the waiver.

8. Expires: either set the waiver to never expire, or select a time you expect to have the condition

remediated by.


9. Click Next >.

10. Use either the “Add tests with failures” or “Add nodes with failures” button to populate the list

with nodes and tests you would like this waiver to apply to.

11. Click Next >.

12. The following page will list any node and test combinations that are not in scope with this node.

These node-test pairs will be removed from the waiver.

13. Click Finish.

NOTE: You can only waive failed test results. You cannot waive a test in expectation of a future failed result.


After configuring a waiver, those in-scope node-test pairs will have their failed result excluded from the

policy score. When viewing the overall policy score, you will see a “Score” column for the score with

waivers considered and a “Without Waivers” column for the score without waivers considered.


9 OTHER OPERATIONS

9.1 Configure the Login Method

NOTE: Configuring the Login Method requires the Administrator role.

The Login Method controls how TE authenticates user credentials. There are two authentication

methods available: Password and LDAP/Active Directory. With the Password method, TE authenticates

the username and password provided when logging in against its own database. With the LDAP/Active

Directory method, an LDAP or Active Directory server handles authentication of the supplied

credentials.

NOTE: TE always authenticates the built-in “administrator” user account with the Password method

regardless of the Login Method configured.

By default, Tripwire uses Password authentication. Switching to LDAP/Active Directory authentication is

beneficial for a couple of reasons: 1) the user continues to use their familiar network/domain

credentials to log in to the Console, and 2) user password management occurs within LDAP or Active

Directory (expiration, resetting, etc.) instead of TE.

NOTE: TE does not integrate directly with LDAP or Active Directory. TE simply passes the provided

credentials to the specified directory server for processing and verification. This means that

network/domain users needing access to TE will need to have a user account created for them within

TE. It is critical that the spelling and case of the network/domain username match the TE username

spelling and case. If there are differences between the two, authentication will fail.

TIP: Ensure you have created a TE user account for your personal network/domain user account (or edit

your previous account username to match your network/domain username exactly). Not only will this

serve as your new TE user account, but you can use this account to test the configuration as well!

NOTE: Even after switching to LDAP/Active Directory authentication, new user accounts will still require

a local password to complete the user account creation process. However, the network/domain

password will be used instead of the local password.

To switch to LDAP/Active Directory authentication, navigate to Settings Manager > Administration >

Login Method:

1. Ensure you know the built-in “administrator” passphrase. This will allow you to log in after

enabling LDAP/Active Directory authentication and correct any configuration issues.

2. From the “System login method” dropdown, select LDAP/Active Directory.


3. Enter the URL for the LDAP or Active Directory server to be used for authentication with the

required ldap:// prefix.

4. Enter the desired User template. It is recommended you use the User Principal Name (UPN)

format “[email protected]” for Active Directory. Other valid formats include Distinguished

Names “CN=$user,CN=Users,DC=example,DC=com” (recommended for LDAP) and the Active

Directory SAM Account Name “example.com\$user”.

5. To encrypt communication between the TE Console server and your specified directory server,

mark the “Connect using SSL” checkbox. This will require SSL to be supported by the specified

directory server. Additionally, you will need to add the server certificate of your directory server

to the TE Console keystore.

6. Click “Apply” to save your new configuration.

7. Log out of TE and log in using your network/domain username to verify connectivity (you made

sure you have an account in TE that matches your network/domain username exactly, right?).

8. If your attempt fails, log in as “administrator” and adjust your configuration. It will be helpful to

consult the Log Manager to see what error you are getting when attempting to authenticate.

Common causes of issues include:

Mistyped directory server URL

Mistyped domain in the user template field

No corresponding user account created in TE

Username in TE does not match spelling/case of network/domain username

You did not import (or incorrectly imported) the root server certificate after enabling SSL

The Tripwire Enterprise 8.3 User Guide has additional instructions for configuring the Login Method on

page 282.


The Login Method page also allows you to configure an account lockout policy. To do so:

1. Mark the “Enable Account Lockout Policy” checkbox.

2. Configure the desired account lockout duration, threshold, and reset counter time in the

available fields. For most customers, the defaults are fine.

3. Mark the “Notify user on account lockout…” checkbox if you wish to send a notification email to

the user when they are locked out. This option requires the user to have an email address

specified for their account.

4. Configure the email CC, subject, server, and body options as desired. For most customers, the

defaults are fine. If you want to alert the TE Administrator of the user lockout, add their user

account to the CC field.


9.2 Support Data

There are times when having configuration and troubleshooting data for your Agents can be valuable in

diagnosing and resolving Agent issues. Furthermore, Tripwire Support will request this data when

assisting you. You can generate a support bundle (a zipped archive of Agent configuration and

troubleshooting data) through the Console:

1. Navigate to the Settings Manager > System > Support Data page.

2. Click on the Collect… button.


a. Enter an optional Tripwire Support case number in the field.

b. Keep the checkbox for “Include files from the TE Server’s agent” selected if you would

like to generate a support bundle for the TE Console’s local Agent. Otherwise uncheck

the checkbox.

4. Click on the Next > button

5. Click the Add button.

6. In the resulting dialog window, navigate the tree and select a node or node group you would like

to generate support bundles for. Your current selection appears in the “Selection” field.

7. Click Add if you would like to add the current selection and have the opportunity to add

additional selections. Click OK if your current selection is adequate and you would like to close

the window.


8. Your added selections will be listed in the original dialog window. Click Finish to generate the

support bundle(s). You will be prompted to save the file.

9. Once you have the support bundle, you can extract the contents to view the data yourself or

provide it to Tripwire Support, if requested.

TIP: It is not recommended to select the “Root Node Group” as this will result in connections to every

Agent monitored by Tripwire and result in a large zip file. Similarly, be mindful of selecting node groups

with large numbers of Agents for the same reason.


9.3 Create a Promotion Approval Template

By default, promoting element changes requires you to enter a comment and optional approval

identifier. If you regularly promote element changes for the same reason (such as a “business as usual”

change), configuring a promotion approval template allows you to apply the same comment and

approval identifier to those promotions. This makes the process more efficient for those individuals

responsible for promoting changes by saving time and providing consistent verbiage when promoting

those similar changes.

1. Navigate to the Settings Manager > System > Approval Templates page.

2. Click on the New Approval Template button.

3. In the resulting dialog window, specify an approval template name and (optional) description.

4. Click Next.


5. Specify a promotion comment and/or approval identifier. Approval identifiers are commonly a

username or change request ID for the approved change. You can use a date variable if you

would like to include the date/time of the promotion in either the comment or approval ID. Click

on the “Help” link for specific uses of the date variable.

6. Click Finish to create the approval template. Your approval template is now listed on the

Approval Templates page and is available to select when using the promotion workflow.

NOTE: You can also configure a new approval template when using the promotion workflow.

TIP: One strategy is to keep placeholders in your approval template (see screenshots above) to make

them more flexible. When you choose an approval template to use when performing the promotion,

you will have an opportunity to edit the values of the comment and approval identifier fields at that

time.


9.4 Using Home Pages

Home pages are configurable pages that display information about TE or monitored systems through

dashboards, reports, alerts, and more. The Home Page Manager is typically used by managers or other

non-administrative users, who have little or no need to access data from different manager

components, to get a quick overview of the state of their environment. The first time you log in to the

Console you will be directed to the Home Page Manager where you will see any home pages that have

been assigned to you.

The Home Page Manager has a Configuration Pane on the left and a Main Pane on the right. You can

collapse the Configuration Pane by clicking on the “<<” button in the pane’s upper-right corner. A home

page can contain up to three configurable rows containing up to four columns. In other words, it could

contain merely a single region, or it could contain 12 regions. You can expand or collapse a row by

clicking on the arrow at the top or bottom of the Main Pane (the row “delimiter”). You can resize rows

by adjusting the row delimiter, as well. To add or remove columns, click on the gear button in the upper-

left corner of each region and select the desired number of rows.

Once you have defined the regions of your home page, you can then add widgets. On the Configuration

Pane, you can access widgets from the Widgets tab. Then simply drag and drop a widget into the desired

region. Widgets allow you to display various information about your monitored systems, including

alerts, reports, dashboards, and more.

Home pages can be created from either the Home Page Manager or the Settings Manager. Once

created, you will need to assign a home page to a user before they can view it. Home pages can only be


configured from the Home Page Manager, however. It is wise to create the reports and dashboards you

would like to see on the home page first. Then you can create your home page and configure the

widgets within it.

Below are some recommendations to keep in mind when creating home pages:

Home pages are generally "role-specific." For example, typical home pages might display data

unique to Security Configuration Management, File Integrity Monitoring, Security,

Administration, etc. This allows you to granularly assign users with specific roles to specific

home pages.

Home pages may be created either from the Settings Manager or the Home Page Manager.

Creating them from the Settings manager allows you to do three things: create the new home

page, assign pre-existing users to it, and import/export pages from or to an XML file. You must

move to the Home Page Manager to perform the actual configuration of any newly created

home page. The Home Page Manager allows you to do all of the previously mentioned steps

except import/export of home pages. You may find it easier to assign users to home pages from

the Settings Manager because you can quickly access the user list from that location to see both

the user account and description. This is most helpful when user logins are not easily associated

to the user name.

Home pages are built using "widgets". Widgets are customizable home page components that

come in a few types. Commonly used types include dashboards (graphical reports), non-

graphical reports, and alerts for specific log messages.

If you haven't already created your graphical and non-graphical reports or dashboards, navigate

to the Reports Manager and build them before creating your home page. You will then have

content to add and configure.

NOTE: Completing the Fast Track process will create certain home pages for you. These give you a start

and can then be configured later.

1. Navigate to the Settings > Administration > Home Pages the page.

2. Click on the New Home Page button.

3. In the resulting dialog window, specify a home page name and (optional) description.


4. Click Next.

5. Select the users you would like to assign the home page to from the “Available Users” panel

(left-side) and click on the add arrow (right-pointing arrow). Your selection(s) will appear in the

called “Assigned Users” panel (right-side). If you added a user you do not want assigned to the

home page, select them from the “Assigned Users” panel and click the remove arrow (left-

pointing arrow).

6. Click Finish.

7. Navigate to the Home Page Manager. Expand the Configuration Pane if it is not already

expanded.

8. Select the home page you created from the tabs at the top of the Main Pane.


9. At this time it is best to adjust your layout to create the desired number of regions.

10. Select the “Widgets” tab in the COnfiguraiton Pane. To add a widget, click on the widget type.

11. When prompted if you would like to continue or not, either select “Continue” or “Do not Ask

Again” if you want to avoid future prompts for each action you take on this home page.

12. New widgets are added to the middle row by default. You may want to move them to either the

top or bottom rows by clicking and dragging the widget using its title bar.

13. Click the gear button in the upper-right corner of the newly added widget.


a. Specify a more meaningful name for this widget. This name will be visible on the home

page.

b. Depending upon the type of widget you selected, you may have additional options to

configure. For example, adding a dashboard widget requires you to navigate the Tree

Pane and select the desired dashboard to display in the widget.


15. Click OK. The new widget now appears in the home page as configured.

16. Depending upon the type of widget you added, there may be an additional configuration step

required. For example, the alert widget requires you to click on the “Alert on…” button to

specify the source for the alerts you want to view.

17. You can now add additional widgets and/or adjust the layout as needed. When you are finished,

you will likely want to collapse the Configuration Pane to maximize your viewable space.


9.4.1 Alerts Widget

Follow the steps above to add the alerts widget. Once you specify a name for the widget by using the

gear button (step 14), you will need to perform some additional configuration.

1. Click the Alert on… button and select the desired source for the alerts. Continue to add alerts as

you see fit.

2. Click on the gear button to access the options for the alert. This allows you to set the scope for

or delete the alert, clear the data, etc. Scoping the alert allows you to only receive alerts for the

specified nodes or some other factor.

3. From the gear menu, click on the Configure button.


a. Click the manilla folder icon(s) to select the node/node groups or policy/policy test

groups to scope the alert to.

b. Depending upon the alert type you’ve added, you may have additional options to set.

5. Click OK. Your alerts widget is now configured. If you want to only show active alerts, uncheck

the “View All” checkbox.


9.5 Create a Custom Property

There may be specific situations in which you need to define a specific property for a node, element, or

version. Besides using smart node groups to accomplish your goal, you can also use a custom property.

A custom property is a user-defined property that you can apply to a node, element, or version. These

properties can then act as a filter used in various operations or features such as actions or reports.

Examples include automatically promoting and element version when the parent element has a specific

property, producing a report that either includes or excludes nodes with specific properties, etc.

The most common usage of this feature is to apply properties to either nodes or elements. Of the

element properties, the most common usage is to create a “business-as-usual” (BAU) property. This

property is applied to elements whose changes should be automatically promoted as they are of a

common, business-as-usual nature. In this specific example, the default value of the BAU property

would be “false” for all elements. Only those elements meeting the BAU criteria would have the

property set to “true”.

The process to create a custom property is the same for node, element, and version properties. The only

difference is when page you create the property in.

1. Decide if you are creating a node, element, or element version property. Then navigate to the

Settings Manager > Custom Properties > Version Properties, Element Properties, or Node

Properties page, depending upon your decision.

2. Click on the New Property button.

3. In the resulting dialog window, select the property type you would like to create.

4. Click Next.


5. In the resulting dialog window, specify a property name and (optional) description.

6. Click OK.

7. Specify your desired options:

a. The “Inherit the default if no value is specified” checkbox determines whether or not

the object will inherit the property’s default value if a custom value is not specified for

the object. You most likely want this checked.

b. The “Editable in property editor” checkbox determines whether or not users can enter a

custom value for the object. You most likely want this checked.

c. Enter a default value for the property in the “Default value” field. This may be Yes/No, a

number, or some other value depending upon the type of property you are creating.

d. Specify the remaining options available to you. These may be additional values or simply

additional options for the property. For questions about these remaining options, click

on the “Help” link.

8. Click Finish. The custom property is created and associates itself with every object of its type

(node, element, or element version) using the default value.

using tripwire enterprise 8 - university at buffalo · 2020-01-06 · the using tripwire enterprise...

Documents