Te Evaluation Guide PDF

TRIPWIRE®
ENTERPRISE
TRIPWIRE ENTERPRISE 8.7.0

EVALUATION GUIDE
FOUNDATIONAL CONTROLS FOR

SECURITY, COMPLIANCE & IT OPERATIONS
© 1998-2018 Tripwire, Inc. All rights reserved.
Tripwire is a registered trademark of Tripwire, Inc. Other brand or product names may be trademarks or
registered trademarks of their respective companies or organizations.
Contents of this document are subject to change without notice. Both this document and the software described
in it are licensed subject to Tripwire’s End User License Agreement located at https://www.tripwire.com/terms,
unless a valid license agreement has been signed by your organization and an authorized representative of
Tripwire. This document contains Tripwire confidential information and may be used or copied only in
accordance with the terms of such license.
This product may be protected by one or more patents. For further information, please visit:
https://www.tripwire.com/company/patents.
Tripwire software may contain or be delivered with third-party software components. The license agreements
and notices for the third-party components are available at: https://www.tripwire.com/terms.
Tripwire, Inc.
One Main Place
101 SW Main St., Suite 1500
Portland, OR 97204
US Toll-free: 1.800.TRIPWIRE
main: 1.503.276.7500
fax: 1.503.223.0182
https://www.tripwire.com
tripwire@tripwire.com
Contents
Evaluation Overview 6
Installation & Configuration 7

Installing Tripwire Enterprise 8
Activity: Installing Tripwire Enterprise Console Software 8
Activity: Getting Started with Fast Track 9
About the Tripwire Enterprise Interface 11
Configuring Tripwire Enterprise 14
About Nodes 14
Activity: Creating Nodes 14
About Tripwire Enterprise Agent and Tripwire Axon Agent 15
About Tags and Smart Node Groups 16
Activity: Assigning Tags to Nodes 17
About Rules 18
Optional: Creating Network Device, Directory, or Database Rules 18
About Actions 19
Activity: Creating an E-mail Action 19
Detecting Changes 21
Baselining Monitored Systems 22
About Elements, Element Versions, and Baselines 22
About Version Checking 22
About Tasks 23
Activity: Running Tasks to Create Baselines 24
Activity: Reviewing a Baseline 25
Detecting Changes with Version Checks 26
Activity: Making a Change 26
Activity: Running a Version Check 26
Tripwire Enterprise 8.7.0 Evaluation Guide 3 Contents

Reporting 27
Reports 28
About Reports 28
Types of Reports 28
Activity: Viewing Changes with Linked Reports 28
Dashboards 30
About Dashboards 30
Activity: Running and Viewing a Dashboard 30
Home Pages 31
About Home Pages 31
Activity: Viewing Home Pages 31
Reconciling Changes 32
About Change Reconciliation 33
Assessing Detected Changes 35
Activity: Viewing Changes in the Node Manager 35
Activity: Viewing Changes with the Difference Viewer 35
Resolving Detected Changes 37
Activity: Promoting Element Versions 37
Configuration Assessment 38
About Configuration Assessment 39
How Does a Policy Test Work? 40
Testing and Viewing Compliance 41
Activity: Testing Compliance with Policies 41
Activity: Viewing Compliance with Policy Reports 41
About Remediation 43
Summary 44
Evaluation Guide Summary 45

Other Tripwire Enterprise Features 46
Monitoring Asset Health 46
Custom Properties 46
Conditional Actions 46
Audit-Log Integration and Real-Time Monitoring 47
User Roles and Access Controls 47
TE Console REST API and Command Line Interface 47
Integrating Tripwire Enterprise with External Resources 48
Customer Services 49
Contact Us 49

Evaluation Overview
The Tripwire Enterprise Evaluation Guide provides a detailed introduction to Tripwire

Enterprise (TE) software. To demonstrate application features and functions, the Evaluation
Guide walks you through the process of configuring and using Tripwire Enterprise. To benefit
fully from the evaluation process, read the Evaluation Guide sequentially.
The Guide consists of the following parts:
l Installation & Configuration (on page 7). In Part 1 of the evaluation, you will install
Tripwire Enterprise and log in for the first time. After reviewing the user interface, you
will configure the software to monitor your network for change.
l Detecting Changes (on page 21). In Part 2, you will learn how to detect changes on your
network with Tripwire Enterprise.
l Reporting (on page 27). Tripwire Enterprise includes a robust collection of reports that
present data about monitored systems on your network. In Part 3, you will view reports
and use linked reports to "drill down" into changes.
l Reconciling Changes (on page 32). If TE detects changes on your network, you should
resolve the changes. Part 4 demonstrates how you approve or reject changes detected by
the software.
l Configuration Assessment (on page 38). In this section, you will learn how to use
Tripwire Enterprise for configuration assessment. To do this, you will run policies to test
compliance on monitored systems and then review the results.
l Summary (on page 44). This section reviews the evaluation process and suggests
additional areas of Tripwire Enterprise functionality that you may want to explore.
Note The Tripwire Enterprise Evaluation Guide includes cross references to other
publications in the Tripwire Enterprise documentation set.
PDFs of all Tripwire Enterprise documents can be found in the /docs directory of
the Tripwire Enterprise download archive or on the Downloads page of the
Tripwire Customer Center (https://tripwireinc.force.com/customers).
Tripwire Enterprise 8.7.0 Evaluation Guide 6 Evaluation Overview

Installation &
Configuration
Installing Tripwire Enterprise
Activity: Installing Tripwire Enterprise Console Software

When installing TE Console, it's helpful to understand the following terms:
l A Tripwire Enterprise Server is the host machine on which Tripwire Enterprise

Console software is installed.
l The TE database or backend database stores the data generated by TE Console.
l TE Console and the TE database are normally installed on different systems
(a distributed installation), but can be installed on the same system for small
environments or demonstration purposes (a single-system installation).
To install TE Console, see the following sections of the Tripwire Enterprise Installation
& Maintenance Guide:
l Installation Overview
l Configuring the Tripwire Enterprise Database
l New Installations of Tripwire Enterprise Console
At the end of the TE Console installation process, you will use the Fast Track interface to
configure the software. See Activity: Getting Started with Fast Track on the next page for
guidance on which options to select in the Fast Track interface.
Note All Tripwire Enterprise documents can be found in the /docs directory of the
Tripwire Enterprise download archive or on the Downloads page of the Tripwire
Customer Center (https://tripwireinc.force.com/customers).
Tripwire Enterprise 8.7.0 Evaluation Guide 8 Installation & Configuration

Activity: Getting Started with Fast Track
Tripwire Enterprise uses the Fast Track interface to help you quickly to configure TE for
Change Auditing, Policy Management, or an integrated Security Configuration Management
(SCM) solution. It only takes a few minutes to complete the setup questionnaire. After you do,
Fast Track will use your answers to install the components that you need.
To launch Fast Track, log in to Tripwire Enterprise:

1. Open a Web browser on any system networked with your Tripwire Enterprise Server.
2. Enter the following URL:
https://<TE_Server_hostname>:<port>
where:
<TE_Server_hostname> is the hostname or IP address of your TE Server, and
<port> is the Web Services port number entered when TE Console was installed.
For example:
https://watchdog.example.com:443
3. Enter the services passphrase you created when you installed TE Console to access a
database configuration dialog. Enter the database information and restart TE.
4. Enter the services passphrase again to change the default passphrase for the
TE administrator user account.
5. Log in to TE using the administrator account you just created.
6. The Fast Track interface opens. Click Configure Tripwire Enterprise and use the tips
below to configure Tripwire Enterprise for evaluation.
l In step 1, browse to the license file (.cert) you received with the other Tripwire
Enterprise files. If you don't have a license file, contact your Tripwire sales
representative.
l In step 2, be sure to select at least one policy if you want to evaluate TE's policy
management capabilities.
l In step 3, make sure to select the operating system for the system where TE
Console is installed, in addition to any other systems that you want to evaluate.
l In step 4, don't enable checks and reports now. You will run these manually.
l In step 5, set up an email server now if you have this information. You can
configure the server later, but it's easier to do it with the Fast Track interface.
l In step 6, enter a user name, password, and e-mail address to create a user account
that you will use to access Tripwire Enterprise Console.

7. After completing the fields on this page, click Preview Configuration to see the objects
that TE will install. Then click Apply Configuration to install these objects.
8. After TE has finished the configuration, click Continue to Tripwire Enterprise to
launch the software.
By default, Tripwire Enterprise opens to the Home Page Manager, which we'll discuss later in
the evaluation. The next section describes the user interface used in other parts of the software.

About the Tripwire Enterprise Interface
The Tripwire Enterprise interface is a Web-based GUI that allows an unlimited number of
users to simultaneously use Tripwire Enterprise. Figure 1 shows the main components of the
interface, which are described in greater detail in this section.
Note When working in the TE interface, do not use your Web browser’s Forward,
Back, or Refresh buttons.
Figure 1. The Tripwire Enterprise interface
Manager Bar and Tabs
Use the Manager bar (Figure 2 below) to select the component of Tripwire Enterprise that you
want to use. Each Manager in Tripwire Enterprise controls a different component of the
software. For example, the Node Manager is used to view, create, and perform other actions on
nodes.
Based on the permissions assigned to your user account, some Managers may not be accessible
from the Manager bar.
Figure 2. The Manager Bar
Tip Click the Tripwire Enterprise logo on the left side of the button bar to see the
Tripwire Enterprise version and build number that you are using.

When you select a Manager in the Manager bar, TE displays a unique set of tabs (Figure 3)
along the top of the interface. Each tab contains a sub-set of functions and data for the selected
Manager.
Figure 3. Tabs for the Node Manager
Button Bar
The button bar (Figure 4) consists of buttons that initiate TE functions. The actual buttons in the
bar depend on which Manager is selected in the Manager bar, and which tab is selected in the
Manager. Some Managers have many buttons grouped in expandable button sets. To expand or
retract a button set, click the corresponding button.
Some buttons in the button bar may be disabled until you select an appropriate object for that
action. And as with the Manager bar, some buttons may be permanently disabled, based on the
permissions for your user account.
The label button at the left end of the button bar toggles the display of text labels through
three states:
l Show all labels in a Manager’s button bar.

l Hide all labels in a Manager’s button bar.
l Show the label of a button only when you move your cursor over the button.
Figure 4. The Button bar (with the Control button set expanded)
Interface Toolbar
The interface toolbar, in the upper right section of the Console, consists of the following buttons:
l Refresh updates displayed data with the latest information. Do not use your Web
browser’s Refresh button to refresh data in the Tripwire Enterprise interface.
l Help opens the TE online help system.
l Logout ends the current user session.

Tree Pane and Main Pane
In most Managers, the tree pane displays the hierarchy of groups used to organize the objects in
that Manager. If you select an object in the tree pane, information about that object is displayed
in the main pane. For example, if you select a group, all of the objects and groups descended
from that group are displayed.
To execute an action on an object in TE, you first select the object's parent group in the tree
pane, then select the object in the main pane. To execute an action on a group, you first select
the group's parent group in the tree pane, then select the group in the main pane.To execute an
action on all of the objects in a Manager, select the Root group for that Manager in the tree
pane, then select all of the descendant objects in the main pane.
In Figure 5, the General Policy Rules group is selected in the tree pane, and a number of rules in
that group are selected in the main pane.
Figure 5. The Tree pane and Main pane
Status Bar
Among other information, the status bar displays the name of the current user and the Manager
that is currently open. You can click the user name in the status bar to view and edit the settings
for that user account. In some Managers, you can also use the status bar to filter the objects
displayed in the Manager.

Configuring Tripwire Enterprise
About Nodes
Tripwire Enterprise audits your network for unauthorized or unintended changes. To monitor a
system on your network, such as a server or router, a node must first be added to the application.
A node is a Tripwire Enterprise object that represents a monitored system on your network.
As needed, you can add the following types of nodes to your Tripwire Enterprise
implementation.
l A network device node represents a physical router, switch, firewall, or UNIX system.
l A file server node represents a file server running a Windows, UNIX, or Linux OS.
l A directory server node represents any directory server that uses LDAP as the directory
protocol or that hosts a Microsoft Active Directory.
l A database node represents a single database on a database server. In this version of
Tripwire Enterprise, you may create a database node for an Oracle, Microsoft SQL
Server, or DB2 database.
l A virtual infrastructure node represents a component of a virtual infrastructure, such as
a VMware vCenter.
Activity: Creating Nodes

By default, TE creates a node that represents the TE Server where the software is installed. If
you have permission to change files on this system, you could just use this node for the
evaluation.
To see how Tripwire Enterprise monitors other systems, you must create additional nodes. Since
you will need to change files to see how TE works, be sure to create nodes for monitored
systems that you are permitted to change.
To create a Windows or UNIX file server node you first install Tripwire Enterprise Agent
(TE Agent) or Tripwire Axon Agent (Axon Agent) software on the system you want to monitor.
For more information on the two Agent types, see About Tripwire Enterprise Agent and Tripwire
Axon Agent on the next page.
To create a network device, directory server, database, or virtual infrastructure node see
the following procedures in the Tripwire Enterprise User Guide:
l Creating a Network Device Node

l Creating a Directory Server Node
l Creating a Database Node
l Creating a VI Management Node

About Tripwire Enterprise Agent and Tripwire Axon Agent
To create a file server node, you install one of the following types of Agent software on the
system to be monitored:
l Tripwire Enterprise Agent (TE Agent) is a remote-execution environment that enables

TE Console to monitor a file server.
l Tripwire Axon Agent (Axon Agent) is Tripwire’s new generation of agent technology,
and does not require Java to be installed on the monitored system.
Only one type of Agent software can be installed on a system to be monitored. Both types of
Agent software perform a similar function, monitoring the files and directories on a file server
(referred to as an Agent system). If a change is detected, the Agent software reports the change
to the TE Console. By performing some operations locally, the TE Agent and Axon Agent
software minimize the network traffic generated by a Tripwire Enterprise implementation.
Note The Axon Agent utilizes significantly less network bandwidth by virtue of its
messaging and compression methods.
In general, nodes with Axon Agent installed behave like those with TE Agent installed.
Differences in behavior and performance between the two types of nodes are described in
Differences Between Axon Agent and TE Agent in the Tripwire Enterprise User Guide.
For installation instructions, see the following sections of the Tripwire Enterprise Installation &
Maintenance Guide:
l Installing Tripwire Enterprise Agent

l Installing Axon Agent

About Tags and Smart Node Groups
In Tripwire Enterprise you can use tags to classify the servers, network devices, and other
systems that you monitor. Tags are descriptors that you can create and assign to your assets.
You can assign as many tags to an asset as you like and you can always rename or delete the
tags later.
Tags are organized using tag sets, which group a set of related tags. For example, a tag set
named Location could include the tags Portland, Chicago, and New York. These tags would be
represented in TE as Location:Portland, Location:Chicago, and Location:New York.
Tripwire Enterprise includes a number of system tag sets, pre-defined tag sets that organize
your assets based on operating system, device type, or other criteria. These tags are
automatically assigned to assets when you add them to TE. You can't edit or delete system tag
sets or apply them to assets.
In TE, you manage tags with the Asset View tab of the Node Manager (see Figure 6), which
provides a complementary view of the objects in the Nodes tab. Each node in the Nodes tab is
represented by an asset in the Asset View tab, and tag sets created in the Asset View tab are
represented by smart node groups in the Nodes tab. After you assign tags to assets to classify
them, you can use smart node groups to scope checks, reports, and other TE activities to a
specific set of assets.
For more information about tags and smart node groups, see Getting Started with Tags in the
Tripwire Enterprise User Guide.
Figure 6. The Asset View tab

Activity: Assigning Tags to Nodes
In this section, you will use the Asset View tab to create a new tag set and assign tags to the
nodes that you created. You will use this tag to organize nodes and scope operations during the
rest of the evaluation.
For more information about Asset View, see Using the Asset View Tab in the Tripwire
Enterprise User Guide.
To create a new tag set:

1. In the Manager bar, click NODES and select the Asset View tab.
2. In the left pane, click Manage Tagging at the top of the pane and select the Tag Sets tab.
3. To create a new tag set, enter Evaluation in the field at the top of the dialog and click
Add.
4. To add a tag to the Evaluation tag set, enter Yes in the field below Evaluation and click
Add.
5. Repeat step 4 to add an Evaluation:No tag, then click Filter Assets in the left pane to
return to the main Asset View tab.
To assign the evaluation tag to nodes:

1. In the middle pane of the Asset View tab, select the checkbox for each node that you
created. All of the nodes you select will be listed in the right pane.
2. At the top of the right pane, click Edit Tags.
3. In the drawer dialog, expand Evaluation and select Yes to apply this tag to all of the
selected nodes.
4. Click Close to apply your changes.
To view nodes in a smart node group:

1. In the Node Manager, click the Nodes tab.
2. In the tree pane, expand the Root Node Groups > Smart Node Groups > Tag Sets
> Evaluation group, then click the Yes group. All of the nodes that you assigned the
Evaluation:Yes tag to are listed in the right pane.
Tip To see system tags that Tripwire Enterprise automatically assigns to nodes,
expand the Smart Node Groups > System Tag Sets node group.

About Rules
A monitored object is any item that Tripwire Enterprise can monitor for change. For example,
a monitored object may be:
l A component of a monitored system, such as a file or registry key

l The availability of a monitored system
l Command output generated by a monitored system
l The results of a query run on a monitored system
A rule is a Tripwire Enterprise object that identifies one or more monitored objects. To check a
monitored system for changes, you specify one or more rules that identify the monitored objects
to be checked by the application. A severity level is a numeric value that indicates the
importance of a detected change. Ranging from 0 (no importance) to 10,000 (most important),
severity levels are assigned to every rule in a Tripwire Enterprise implementation.
Tripwire Enterprise uses a different set of rules for each type of monitored system. For more
information about types of rules, see What are Rule Types? in the Tripwire Enterprise User
Guide.
Note Tripwire has developed a collection of platform-specific, pre-configured rules that

can be downloaded from the Tripwire Web site. For this evaluation, you should use
the rules created during installation by the Fast Track interface. However, to
download rules for later use, visit the Downloads page of the Tripwire Customer
Center:
https://tripwireinc.force.com/customers
You must provide your license information to download rules from this Web site.
Optional: Creating Network Device, Directory, or Database Rules

During installation, the Fast Track interface enabled you to install rules for file systems and
virtual infrastructure nodes. If you only want to monitor these types of nodes (or if you are only
monitoring the TE Server) skip to About Actions (on the next page).
To create a rule for a network device, directory server, or database server node see the
following procedures in the Tripwire Enterprise User Guide:
l Creating a Configuration File Rule

l Creating a Directory Rule
l Creating a Database Metadata Rule
Note Since you will be changing the monitored objects identified by these rules, be sure
to select objects that you have permission to change.

About Actions
An action is a Tripwire Enterprise object that initiates a response to detected changes. You can
run any action as part of a version check (see About Version Checking on page 22) to ensure a
timely and appropriate response to detected changes. To run an action as part of a version check,
you first associate the action with a check rule task (see About Tasks on page 23) or an
individual rule. If a version check detects a change, Tripwire Enterprise automatically executes
the applicable actions.
For more information about actions, see What are Actions and Action Types? in the Tripwire
Activity: Creating an E-mail Action

For this evaluation, you will create an e-mail action. This type of action automatically sends an
e-mail notification to specified recipients whenever Tripwire Enterprise detects a change.
Before you can use an e-mail action, you must configure Tripwire Enterprise to use an e-mail
server on your network. If you specified an e-mail server during Fast Track configuration, you
can skip to creating an e-mail action in the next procedure.
To configure Tripwire Enterprise to use an e-mail server:

1. In the Manager bar, click SETTINGS.
2. Under the System folder, click E-mail Servers.
3. Click New E-mail Server.
4. Enter a Name and Description (optional) for the server. Then, click Next.
5. Enter SMTP information and authentication credentials (optional).
6. Click Finish.
Next, you will create an e-mail action. For more information on e-mail actions, see How Does
an E-mail Action Work? in the Tripwire Enterprise User Guide.
To create an e-mail action:

1. In the Manager bar, click ACTIONS.
2. Click New Action.
3. In the Create Action dialog, select Common > E-mail Action and click OK.
4. In the New Action Wizard, enter a Name and Description (optional), and click Next.

5. In the delivery information page:
a. Enter the e-mail addresses of any recipients in the Additional addresses field. To
enter multiple e-mail addresses, separate the addresses with a , or ; character.
b. Select the server you created for the E-mail server field.
c. Specify an E-mail type.
d. Click Next.
6. If desired, modify the Lines of context and Max lines per block. These settings only
affect the display of e-mail messages whose E-mail type is Detailed.
7. Click Finish.
In the next chapter, you will use nodes, rules, and actions to check monitored systems for
changes.

Detecting Changes
Baselining Monitored Systems
About Elements, Element Versions, and Baselines

With Tripwire Enterprise, you can detect changes in a variety of monitored objects. For a
complete list of objects that can be monitored by the application, see What Does Tripwire
Enterprise Monitor? in the Tripwire Enterprise User Guide.
An element is a system-created object that represents a single monitored object. An element

version is a record of a monitored object’s state at a specific point in time (see Figure 7 on the
next page). For example, an element could represent a configuration file on a network device,
and an element version would contain a copy of the file’s content at the time Tripwire Enterprise
created the version.
Tripwire Enterprise can create two types of element versions:
l A baseline version (or baseline) is an authoritative version of a monitored object.

Typically, a baseline represents the known-good state of a monitored object. To detect
change, Tripwire Enterprise compares the baseline with the current state of the monitored
object.
l A change version is an element version created when Tripwire Enterprise detects a
change in a monitored object.
About Version Checking

Once a baseline has been created for a monitored object, you can check the object for changes.
Version checking is the process of inspecting monitored systems for changes to monitored
objects.
During a version check, Tripwire Enterprise compares the current state of an object with the
object’s baseline. If a change is detected, the application creates a new change version.
Version checks create a detailed, historic record of a monitored object’s state. By reviewing the
element versions created for a monitored object, you can determine the source and nature of all
changes made to the object. In other words, element versions provide a thoroughly documented
audit trail.
Tripwire Enterprise 8.7.0 Evaluation Guide 22 Detecting Changes

Figure 7. Items represented by a node, element, and element version
About Tasks
A task is a Tripwire Enterprise object that performs an operation. In Tripwire Enterprise, you
can run tasks on a manual or scheduled basis. When you schedule a task, you specify the dates
and times when the task will automatically run.
A check rule task is the most common type of task in Tripwire Enterprise. A check rule task
runs a version check of the monitored objects specified by the nodes and rules assigned to the
task. If the monitored object does not have a baseline, the task creates one for use in future
version checks.
For more information on check rule tasks, see How Does a Check Rule Task Work? in the

Activity: Running Tasks to Create Baselines
When you installed Tripwire Enterprise, the Fast Track interface automatically created check
rule tasks to monitor file server nodes for change. In this section, you will first assign the e-mail
action you created to each of these tasks. Then you will manually run the tasks for the first time
to create baselines for your nodes.
Note If you created nodes and rules for network devices, directory servers, or database
servers you must first create a check rule task to monitor the nodes with the rules
you created. For more information, see Creating a Check Rule Task in the Tripwire
To assign an action to a task:

1. In the Manager bar, click TASKS.
2. In the tree pane, expand the Root Task Group and click Check Tasks. The main pain
displays one or more Critical Change Audit Check tasks.
3. In the main pane, click the link for one of the Critical Change Audit Check tasks in the
Name column.
4. In the properties dialog for the task, take a look at the Nodes and Rules tabs. In particular,
notice that this task is associated with the Critical Change Audit Rules, which monitor
important system files for changes.
5. Click the Actions tab, and then click Add to assign an action to this task.
6. In the Chooser dialog, select the e-mail action that you created earlier in the evaluation
and click OK. Now any time that this task detects a change, it will send an e-mail
notification.
7. Repeat steps 3-6 for each Critical Change Audit Check in the Task Manager.
Normally, tasks are scheduled to check systems for changes at regular intervals. However, for
this evaluation you will run the Critical Change Audit tasks manually.
To run tasks manually:

1. In the Tasks Manager, select the check box for each Critical Change Audit Check task.
2. Click Control > Run.
The first time that you run a task, Tripwire Enterprise may take several minutes to create
baselines.

Activity: Reviewing a Baseline
After Tripwire Enterprise completes the baseline process, you can review the content of the
baselines in the Tripwire Enterprise interface.
To review the current baselines for a node:

1. In the Manager bar, click NODES.
2. In the tree pane, expand the Evaluation:Yes smart node group to display the nodes you
created.
3. Expand each of the nodes to see the rules that were used to create baselines. Drill all the
way down into the Critical Change Audit Rules group to display the individual rules in
the group. Then select a rule in the tree pane to display the elements associated with that
rule in the main pane.
4. In the Current Version column of the main pane, select any link to view the baseline for
an element.
5. In the version properties dialog, review the available tabs. The information saved in a
baseline is determined by the rule used to create the baseline.
6. When you finish reviewing the baseline, click OK to close the version properties dialog.

Detecting Changes with Version Checks
Activity: Making a Change

To demonstrate how version checking works, you must first make a change to each of the
systems you are monitoring for the evaluation.
l To change a file server, make a change to one of the files or directories that you viewed
in Activity: Reviewing a Baseline on the previous page. To make a change without
affecting the operation of the monitored system, you can add a comment to a file or add a
blank file to a monitored directory.
l If you are monitoring a network device, directory server, or database, make an
appropriate change to the monitored object(s) on those systems. Make sure to change an
attribute that is monitored by the criteria set in the rule(s) used to monitor those systems.
Next, you will run a version check of the changed systems. During the version check, Tripwire
Enterprise will detect and record the changes.
Activity: Running a Version Check

At this point, you have created a baseline for a monitored system and then changed the system.
When you run the same check rule tasks that you ran before, TE will check the monitored
systems for changes.
To manually run check rule tasks:

2. In the tree pane, expand the Root Task Group and click Check Tasks.
3. Select the check box in front of each Critical Change Audit Check task.
When the task runs the version check, Tripwire Enterprise detects the changes you made to the
system. In response, the application creates a new change version for each changed monitored
object. Since the task has an e-mail action associated with it, Tripwire Enterprise also sends an
e-mail notification describing the changes to recipients specified in the action.
In the next section, we'll explore the ways that you can view changes in Tripwire Enterprise
using reports, dashboards, and home pages.

Reporting
Reports
About Reports
When you run a Tripwire Enterprise report, the application compiles data about your Tripwire
Enterprise implementation and monitored systems on your network. The application displays
report output in tables and graphs.
To create a permanent record of report output for future reference, you can archive output in the
Tripwire Enterprise Console database. To share report data with others, you can export output as
an XML or PDF file. XML report files can also be used to integrate Tripwire Enterprise with
other applications. For more information, see How Do I Manage Report Output? in the Tripwire
You can run a report manually, or define a regular schedule for report compilation. If you
schedule a report, you can specify recipients to whom Tripwire Enterprise automatically e-mails
the report output (in HTML, XML, or PDF format). For more information on scheduling reports,
see How Does a Report Task Work? in the Tripwire Enterprise User Guide.
Types of Reports
Tripwire Enterprise includes a wide range of reports that are ready to use. However, you can
use the library of report templates in TE to create new reports tailored to meet the needs of your
organization.
l For a description of the output compiled by each type of report, see What are Reports and
Report Types? in the Tripwire Enterprise User Guide.
l For sample reports, see the Tripwire Enterprise Report Catalog:
https://www.tripwire.com/products/tripwire-enterprise/tripwire-enterprise-
report-catalog-register
Activity: Viewing Changes with Linked Reports

In this section, you will see how Tripwire Enterprise displays changes with reports. In addition,
you will use links in the reports to “drill down” into the data for more detailed information. For
more information on linking reports, see How Do Embedded Report Links Work? in the Tripwire
To view changes with reports:

1. In the Manager bar, click REPORTS.
2. In the tree pane, expand Root Report Group > Change Audit Reports and click Daily
Change Summaries to display the reports in this group.
3. In the main pane, click the Run Report link for the Daily File System Changes by
Node report.
Tripwire Enterprise 8.7.0 Evaluation Guide 28 Reporting

4. In the Report Viewer, scroll through the report output. This report shows the number of
elements that have been added, removed, and modified in the last 24 hours.
5. To see how report linking works, scroll to the Details section of the report and click one
of the numbers in the columns. These links open a Changed Elements report, with more
information about the specific elements that were added, removed, or modified.
6. In the Changed Elements report dialog, scroll through the list of elements. In this report,
the changed elements listed under the Date column are links. Click one of these links to
open a Detailed Changes report with more detailed information on the specified change.
7. Click Close to close any open Report Viewer dialogs.

Dashboards
About Dashboards
A dashboard is a user-defined collection of reports that may be run and viewed together in the
Report Manager. Up to eight reports may be added to a dashboard. However, only report types
with graphic output can be added.
When you run a dashboard, Tripwire Enterprise compiles output for all of the dashboard’s
reports. Displayed in a single window called the Dashboard Viewer, the output of each report is
formatted as a thumbnail of a graph. By clicking on a thumbnail, you can open the Report
Viewer for more detailed information on the associated report.
Activity: Running and Viewing a Dashboard

In this section you will run one of the pre-configured dashboards that are included with Tripwire
Enterprise.
To run and view a dashboard:

1. In the Manager bar, click REPORTS.
2. In the tree pane, expand Root Report Group and click Change Audit Dashboards to
display the dashboards in this group.
3. In the main pane, click the Run Report link for any of the dashboards.
4. In the Dashboard Viewer, review the dashboard’s report output. Click one of the report
thumbnails to open that report in the Report Viewer.
5. Click the links in the Report Viewer to drill down into the data.
6. To close the Dashboard Viewer, click Close.

Home Pages
About Home Pages

A home page is a configurable tab that provides convenient access to Tripwire Enterprise
reports and event data. Typically, a home page presents information of interest to a specific
group of users — for example, security personnel who want a summary view of the security
status of a data center.
Each home page can contain a variety of widgets, including the following:
l An alert widget presents information about changes to Tripwire Enterprise objects such
as recently discovered nodes and errors reported by nodes. An alert widget consists of one
or more alert generators. An alert generator is a utility that automatically posts
information about TE system events that satisfy specified criteria.
l A dashboard widget presents the graphic output of reports in a specified dashboard.
l A report widget presents a list of reports that can be viewed and run from the widget.
For more information on home pages, see What are Home Pages and Widgets? in the Tripwire
Activity: Viewing Home Pages

As with reports and dashboards, Tripwire Enterprise includes a number of pre-configured home
pages that you can duplicate and modify to address the needs of your organization.
To view home pages:

1. In the Manager bar, click HOME. By default, the Home Page Manager displays a
Welcome to Tripwire Enterprise home page.
2. In the left pane of the Home Page Manager, select the check boxes in front of the Change
Audit and Tripwire Enterprise Administrator home pages.
Note You can select compliance-related home pages as well, but they won't have
interesting data until we check the compliance of nodes later.
3. In the main pane, click the tabs for each of the new home pages to view their content.
Click Run links to create various reports and click the charts to open detailed dashboards.
4. When you are finished viewing the home pages, click the Users tab in left pane. This tab
lists all of the TE users who can view the selected home page. In a Tripwire Enterprise
installation with multiple users, you could control which users can view and modify a
home page (to control access to sensitive information, for example).
For more information on controlling access to home pages, see Who can View and
Configure a Home Page? in the Tripwire Enterprise User Guide.

Reconciling Changes
About Change Reconciliation
In addition to detecting and reporting changes on your network, Tripwire Enterprise can be used
to assess and resolve changes, a process known as reconciliation.
l For an overview of change assessment, see Assessing Detected Changes below.

l For an introduction to change resolution, see Promotion and Restoration on the next page.
In this evaluation, you will reconcile changes manually after analyzing the changes using the
Tripwire Enterprise interface. However, change reconciliation in Tripwire Enterprise can be
automated to support your organization’s workflow. For a detailed example, see Example: Using
Custom Properties in the Tripwire Enterprise User Guide.
Tripwire Enterprise can also reconcile changes using external resources such as change
management systems, change ticketing systems, or patch management tools. For more
information about integration, see Integrating Tripwire Enterprise with External Resources on
page 48.
Assessing Detected Changes
When reconciling a detected change, you first determine if the change is expected or
unexpected.
l An expected change is a change that was authorized by your organization and

implemented exactly as intended.
l An unexpected change is typically treated as a security event to be investigated by IT
personnel.
To determine if a change is expected or unexpected, you can review information about the
change in Tripwire Enterprise. In the following sections, you will learn about two methods used
to review and assess detected changes.
l Activity: Viewing Changes in the Node Manager (on page 35). In the Node Manager, you
can quickly determine which monitored systems were affected by a change, as well as the
relative seriousness of each change.
l Activity: Viewing Changes with the Difference Viewer (on page 35). With the Difference
Viewer, you can open and compare any pair of element versions. In this section, you will
compare a monitored object’s current baseline with a new change version.
Tripwire Enterprise 8.7.0 Evaluation Guide 33 Reconciling Changes

Promotion and Restoration
Once you have assessed the desirability of a detected change, you can resolve the change.
l If the change is expected, you can promote the associated change version to the baseline.
Promotion is the act of creating a new current baseline that is an exact copy of a
specified element version (either a change version or historic baseline).
l (Network devices only) If an unexpected change is detected in a configuration file, you
may be able to restore the configuration. Restoration is the act of overwriting the content
of a changed file with the content of a selected element version (typically the current
baseline).
For more information, see What is Promotion? and What is Restoration? in the Tripwire

Assessing Detected Changes
Activity: Viewing Changes in the Node Manager

In the following procedure, you will review a new change version that resulted from your
version check of a monitored object. The change version is a record of the object’s state at the
time that the version check was run.
To review a change in the Node Manager:

2. In the tree pane, expand the Evaluation:Yes smart node group.
3. Expand any rule groups that are descended from the node. Note that Tripwire Enterprise
has applied a severity indicator to the icon of each object (rules, rule groups, nodes, node
groups) associated with the change.
4. Select a rule in the tree pane to display the elements associated with that rule in the main
pane.
5. In the Current Version column of the main pane, click the link for the monitored object’s
element. The new change version opens in the version properties dialog.
6. Review the information in the version properties dialog, then click OK to close the dialog.
Tip For more information, click Help in any tab.
Activity: Viewing Changes with the Difference Viewer

With the Difference Viewer, you can open and compare any pair of element versions. By doing
so, you can quickly identify differences between the versions, including:
l Added, modified, or deleted file content

l Changes in file and directory metadata, such as size and last access time
l Changes in directory server entries
l Changes in the database data definition language (DDL) or query results for database
elements
To compare the current baseline of a monitored object with the latest change version:
2. In the tree pane, expand the Evaluation:Yes node group.
3. Expand any rule groups that are descended from the node.

4. In the main pane, select the Version Type link for the object’s element.
Note If a Version Type link is not displayed for the monitored object, the current
version is the current baseline.
5. In the Difference Viewer, compare the change version with the current baseline. The
current baseline appears on the left, and the change version appears on the right.
l The Content tab shows the changes in content.
l The Attributes tab shows the changes in metadata.
6. Click Close.

Resolving Detected Changes
Activity: Promoting Element Versions

If you approve of a detected change, you can promote the associated change version to the
baseline. In a single operation, you can promote either:
l All of the latest change versions for one or more monitored systems
l Specific change versions associated with a single monitored system
In the example below, you will promote all of the latest change versions for a single system. If
the current version of a monitored object is the object’s current baseline, no action is taken.
To promote the latest change versions associated with a single monitored system:
2. In the tree pane, click the Evaluation:Yes node group.
3. In the main pane, select the check box for the node with the changes you want to promote.
Note Only nodes marked with a severity indicator can be promoted. For more
information, see Activity: Viewing Changes in the Node Manager on page 35.
4. Click Control > Promote.

5. In the promotion dialog, select Promote selected versions and click OK.
Tip For more information on other promotion operations available in Tripwire

Enterprise, see What is Promotion? in the Tripwire Enterprise User Guide.
6. In the next dialog, make sure that Custom is selected. This indicates that you will
manually enter a comment explaining why the selected element versions are being
promoted. Click Next.
Tip You can also use an approval template to automatically enter an approval
comment. For more information, see Working with Approval Templates in the
7. In the next dialog, enter a Comment and an Approval identifier (optional) for this
promotion. The Approval ID can be used to identify the change outside of TE, for example
in an external ticketing system.
8. Click Next in any remaining dialogs (which vary based on the type of version being
promoted), and then click Finish in the final dialog to promote the selected versions.

Configuration
Assessment
About Configuration Assessment
Tripwire Enterprise is the first configuration audit and control solution to combine change
auditing with configuration assessment. With TE, you can achieve continuous operational,
regulatory, and security compliance while reducing costs and improving efficiencies.
A policy is a collection of standards with which monitored systems on your organization’s

network must conform. Tripwire supports policies for a number of industry and regulatory
standards, such as the Payment Card Industry (PCI), Center for Internet Security (CIS),
Sarbanes-Oxley (SOX), and many others.
To measure the compliance of your monitored systems with a policy, you can create the
following objects in the Policy Manager:
l A TE policy determines if monitored systems satisfy all requirements of a policy. To

assess conformance with specific policy requirements, a TE policy contains a collection
of policy tests.
l A policy test determines if the current versions of specified monitored objects comply
with a specific requirement of a policy. For example, you could create a policy test that
determines if a Windows domain server requires user account passwords with more than 6
characters.
l Policy test groups are used to organize TE policies and policy tests. A policy test group
may contain TE policies, policy tests, and other policy test groups.
Each TE policy and policy test has a scope. For a TE policy, the scope identifies all of the nodes
for which the policy’s tests may be run. For a policy test, the scope specifies elements for which
the test may be run, and may limit the test to one or more nodes.
Each policy test also has pass/fail criteria, which determine if the current versions of elements
in the test’s scope comply with the policy requirement evaluated by the test. Table 1 (on the next
page) describes the pass/fail criteria for each type of policy test.
Tripwire Enterprise 8.7.0 Evaluation Guide 39 Configuration Assessment

Table 1. Types of policy tests and pass/fail criteria
Policy Test
Type Pass/Fail criteria based on ...
Attribute ... change-version attribute values specified by one or more conditions.
test
Content ... change-version content specified by one or more conditions. This type of test can be
test run on any change version that represents:
l A file
l Command output
l An RSoP report
l Database query results
l Database metadata content (DDL of a database object)
Windows ... change-version attribute values for the DACL or SACL of:
ACL test
l Files and directories in a Windows file system
l Keys in a Windows registry
How Does a Policy Test Work?

Once the scope and pass/fail criteria have been defined for a new policy test, you should run the
policy test manually in the Policy Manager.
When a policy test runs for the first time, Tripwire Enterprise:
1. Compares the current version of each element identified by the test’s scope with the
pass/fail criteria defined by the test.
2. Generates a policy test result for each current version, which indicates if the version
passed or failed the test. If the current version complies with the pass/fail criteria defined
by the test, the element passes the test.
Note A node is in full compliance with a TE policy when its monitored elements
have passed all of the policy’s tests.
3. Calculates compliance statistics for each node in the test’s scope, as well as each parent
TE policy of the test.
From this point on, Tripwire Enterprise automatically runs the policy test whenever a version
check results in the creation of change versions for elements in the scope of the test.

Testing and Viewing Compliance
Activity: Testing Compliance with Policies

To test compliance with a policy, you must first generate elements using the rules associated
with the policy tests in that policy. To do this, you will run a check rule task using policy test
rules.
To run a check rule task using the rules for a TE policy:

2. In the tree pane, expand the Root Task Group and click Check Tasks.
3. In the main pane, select the check box in front of each Policy Check task.
When the task is complete, Tripwire Enterprise will use the elements that were generated on the
monitored nodes to test those nodes for compliance. Next, you will view a summary of
compliance statistics for the TE policy, as well as the specific results of individual policy tests.
Activity: Viewing Compliance with Policy Reports

Now that you have generated some compliance results for your nodes, let's take another look at
the reports and dashboards available in the Home Page Manager.
To view compliance information in the Home Page Manager:

1. In the Manager bar, click HOME.
2. In the left pane, select the check box in front of the <Policy> Overview home pages if
they are not already checked.
3. In the main pane, click one of the tabs for the policy home pages to view it.

4. In the dashboard widget, click the pie chart for the Test Result Summary report. This
report displays summary information about policy compliance, but you can also drill into
the report for more detailed information about passing and failing tests.
5. Click one of the links in the Failed Nodes column to learn more about failing tests.
6. Review the Detailed Test Results report to see details about each test that failed, as well
as remediation instructions that can be used to bring the node into compliance.
7. When you are finished reviewing compliance reports and dashboards, click Close to close
all open dialogs.

About Remediation
Remediation is the process of resolving failures generated by a policy test. Policy tests may be
remediated in two ways:
l With manual remediation, a user manually performs the actions required to bring a node
into compliance with a policy test. As you saw in the policy compliance reports, TE
includes detailed information that you can use to bring your nodes into compliance. For
more information, see What is Manual Remediation? in the Tripwire Enterprise User
Guide.
l With automated remediation, Tripwire Enterprise can run scripts or perform other
actions to bring failing nodes into compliance with policy tests. With this feature, Tripwire
Enterprise becomes an end-to-end IT security and compliance solution that Protects,
Detects, and Corrects critical configuration settings. A full demonstration of automated
remediation is beyond the scope of this document, but see How Does Automated
Remediation Work? in the Tripwire Enterprise User Guide for a complete description of
this feature.
Both of these remediation techniques can be used in the same Tripwire Enterprise
implementation. For example, you may configure some policy tests to support automated
remediation and require others to be manually remediated. Or you may want to limit the use of
automated remediation to only some nodes or node groups.

Summary
Evaluation Guide Summary
Tripwire Enterprise is the market-leading, configuration audit and control solution. It detects
changes to IT infrastructure configurations, and reconciles those changes against existing IT
service-management systems and policies. As a result, Tripwire Enterprise identifies any
unauthorized changes, policy exceptions, and security violations. With Tripwire Enterprise, your
organization can better control risk, increase operational efficiency, strengthen governance, and,
ultimately, improve its responsiveness to business demands.
In this evaluation, you learned how Tripwire Enterprise:
l Detects Change. By running a version check, you detected and recorded changes on your
network. In Tripwire Enterprise, element versions record the source and nature of each
detected change. For each monitored object in your IT infrastructure, the associated
history of element versions provides an independent, verifiable audit trail.
l Reports Change. Tripwire Enterprise includes a library of versatile reports that compile
information about change-process metrics, change activity, change history, and the status
of monitored systems. In this evaluation, you learned how to run reports, and how to use
linked reports to “drill down” into report data.
l Analyzes Change. To reconcile a detected change, you first assessed the desirability of
the change in the Tripwire Enterprise interface. By reviewing change data in the Node
Manager and Difference Viewer, you determined if the change was expected or
unexpected. Once the desirability of the change was assessed, you resolved the change by
promoting the new change version to the baseline.
l Manages Compliance. To test compliance, you ran policy tests on selected nodes, and
then viewed the results of the tests in policy reports. Finally, you learned about Tripwire
Enterprise's powerful automated remediation features.
Although this evaluation shows the basic outline of Tripwire Enterprise functionality, it barely
scratches the surface of Tripwire Enterprise’s capabilities. For an overview of some of these,
see Other Tripwire Enterprise Features on the next page.
Tripwire Enterprise 8.7.0 Evaluation Guide 45 Summary

Other Tripwire Enterprise Features
Monitoring Asset Health

In Tripwire Enterprise, nodes are “healthy” if they can communicate with the TE Console
without errors. TE monitors the health of a node each time that it attempts to communicate, for
example during a version check, promotion, or baseline operation. Healthy nodes have a
Health:Healthy Assets tag in the Asset View tab.
You can resolve some errors from the Nodes tab, for example by restarting all of the nodes in
the Out of Sync Errors smart node group. To resolve other errors, you may need to review
details of the errors that are displayed in the Asset View tab. For more information, see
Monitoring the Health of Nodes and Resolving Errors in the Tripwire Enterprise User Guide.
Custom Properties
A custom property is a user-defined key/value pair created in the Settings Manager. You can
apply custom property values to Tripwire Enterprise nodes, elements, or element versions
manually, or Tripwire Enterprise can update these values automatically based on changes
detected by the software.
Custom properties enable Tripwire Enterprise to deliver immediate value to your IT change
process by automatically categorizing and reconciling changes using criteria you define. For
example, custom properties can be used to:
l Categorize changes. Tripwire Enterprise could set a custom property for any change that
occurs outside of a change window. If you later determine that this change is
unauthorized, the system can easily be returned to its original state.
l Classify monitored systems, such as those covered by a regulation like Sarbanes-Oxley.
The value for a property could be used to filter those systems for reporting purposes.
l Automatically reconcile changes. Using conditional actions (see the next section),
Tripwire Enterprise can evaluate changes and take different actions based on custom
property values. For example, the software could allow changes made by a specific user
during a specific time period, and send an e-mail notification to IT personnel of all other
changes.
For more information on custom properties, see What are Custom Properties? in the Tripwire
Conditional Actions
Unlike the e-mail action that you created in this evaluation, a conditional action runs one
response if a detected change meets specified conditions, or a different response if the
conditions are not met.

For example, you could create a conditional action that would automatically promote element
versions that meet specific criteria. You might want to promote only versions that changed in a
certain time period, or only those with specific content. For more information, see How Does a
Conditional Action Work? in the Tripwire Enterprise User Guide.
Audit-Log Integration and Real-Time Monitoring

Many operating systems include an audit log utility to record events that occur on the local
system. When an event is detected, the utility adds the event and relevant details to a log file.
This information may include the type and time of the event, as well as the responsible user or
application. For more information on audit log integration, see What is Audit-Event Collection? in
the Tripwire Enterprise User Guide.
On some Windows systems, Tripwire Enterprise can monitor the system for changes made in
real time. For more information on this feature, see How Does Real-Time Monitoring Work? in
the Tripwire Enterprise User Guide.
User Roles and Access Controls

You can control user access to Tripwire Enterprise objects in two ways:
l User roles control how a user can view, create, or otherwise modify data in Tripwire
Enterprise. Tripwire Enterprise has a number of pre-defined user roles, but you can also
define custom user roles to support your own user access policies. For more information,
see What are User Permissions and User Roles? in the Tripwire Enterprise User Guide.
l For greater control of user access, a Tripwire Enterprise administrator can create access
controls. An access control is a setting that grants specified user accounts and/or user
groups exclusive access to a node, rule, group, or other Tripwire Enterprise object. For
more information, see What are Access Controls? in the Tripwire Enterprise User Guide.
TE Console REST API and Command Line Interface

TE Console includes a growing REST API that provides data and automation access to Tripwire
Enterprise. For more information on the API, see https://<TE_Server_hostname>/api on your
TE Console system.
In addition to the REST API, the Command Line Interface (CLI) can be used to run Tripwire
Enterprise functions without the TE interface and create custom integrations. A CLI-scripted
program may be used to automatically run a Tripwire Enterprise function when an event occurs
in another application. For example, if a change request is authorized in a change management
system (CMS), an integration program could instruct Tripwire Enterprise to promote the
associated element versions.
For more information about the CLI, see the Tripwire Enterprise Reference Guide.

Integrating Tripwire Enterprise with External Resources
Tripwire Professional Services can provide integrations with most change-management systems
tailored to match your unique change process. With these integrations, you can:
l Map information in Tripwire Enterprise to change requests in a help-desk ticketing

system, and respond to changes detected by Tripwire Enterprise.
l Create new help-desk tickets based on changes detected by Tripwire Enterprise.
l Automatically attach Tripwire Enterprise reports to help-desk tickets and change requests.
Configuration-change monitoring and reporting capabilities are key components of the IT service
management model. Together with automated infrastructure components, Tripwire Enterprise
integrations enable IT organizations to maximize the efficiency of IT service levels.

Customer Services
From initial planning through post-deployment operation of your Tripwire Enterprise
implementation, Tripwire Customer Services can assist you every step of the way. Our team can
work with you to devise the perfect plan to achieve your goals in using Tripwire Enterprise. We
can then continue to assist you with extensive deployment and post-deployment services.
The Tripwire Customer Services team offers the following services:
l Deployment Services enable you to swiftly put Tripwire Enterprise to work. From pre-
deployment planning to customization, we assure that Tripwire Enterprise is up and
running as quickly and effectively as possible.
l Post-Deployment Services have been designed with specific needs in mind. With Post-
Deployment Services, our team of experts can make our solutions work harder for you and
deliver greater value in many different ways.
l Professional Services ensure that you benefit fully from your investment in Tripwire
Enterprise. Our team of experts will work directly with your organization to address
challenges in any of the following areas:
- Audit and compliance preparedness
- Change and configuration management
- Security enforcement
- Best practices and process improvement
For more information, visit the Tripwire Customer Services Web site:
https://www.tripwire.com/services
Contact Us
We look forward to showing you more ways in which Tripwire Enterprise can assist you. For
further information, please contact us at:
E-mail: sales@tripwire.com
Phone: 1-800-TRIPWIRE (1-800-874-7947)

Te Evaluation Guide PDF

Uploaded by

Copyright:

Available Formats

Te Evaluation Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Te Evaluation Guide PDF

Uploaded by

Copyright:

Available Formats

TRIPWIRE®

TRIPWIRE ENTERPRISE 8.7.0

FOUNDATIONAL CONTROLS FOR

Installation & Configuration 7

Tripwire Enterprise 8.7.0 Evaluation Guide 3 Contents

Tripwire Enterprise 8.7.0 Evaluation Guide 4 Contents

Tripwire Enterprise 8.7.0 Evaluation Guide 5 Contents

The Tripwire Enterprise Evaluation Guide provides a detailed introduction to Tripwire

The Guide consists of the following parts:

Tripwire Enterprise 8.7.0 Evaluation Guide 6 Evaluation Overview

Activity: Installing Tripwire Enterprise Console Software

l A Tripwire Enterprise Server is the host machine on which Tripwire Enterprise

Tripwire Enterprise 8.7.0 Evaluation Guide 8 Installation & Configuration

To launch Fast Track, log in to Tripwire Enterprise:

Tripwire Enterprise 8.7.0 Evaluation Guide 9 Installation & Configuration

Tripwire Enterprise 8.7.0 Evaluation Guide 10 Installation & Configuration

Figure 1. The Tripwire Enterprise interface

Manager Bar and Tabs

Figure 2. The Manager Bar

Tripwire Enterprise 8.7.0 Evaluation Guide 11 Installation & Configuration

Figure 3. Tabs for the Node Manager

l Show all labels in a Manager’s button bar.

l Logout ends the current user session.

Tripwire Enterprise 8.7.0 Evaluation Guide 12 Installation & Configuration

Figure 5. The Tree pane and Main pane

Tripwire Enterprise 8.7.0 Evaluation Guide 13 Installation & Configuration

Activity: Creating Nodes

l Creating a Network Device Node

Tripwire Enterprise 8.7.0 Evaluation Guide 14 Installation & Configuration

l Tripwire Enterprise Agent (TE Agent) is a remote-execution environment that enables

l Installing Tripwire Enterprise Agent

Tripwire Enterprise 8.7.0 Evaluation Guide 15 Installation & Configuration

Figure 6. The Asset View tab

Tripwire Enterprise 8.7.0 Evaluation Guide 16 Installation & Configuration

To create a new tag set:

To assign the evaluation tag to nodes:

To view nodes in a smart node group:

Tripwire Enterprise 8.7.0 Evaluation Guide 17 Installation & Configuration

l A component of a monitored system, such as a file or registry key

Note Tripwire has developed a collection of platform-specific, pre-configured rules that

Optional: Creating Network Device, Directory, or Database Rules

l Creating a Configuration File Rule

Tripwire Enterprise 8.7.0 Evaluation Guide 18 Installation & Configuration

Activity: Creating an E-mail Action

To configure Tripwire Enterprise to use an e-mail server:

To create an e-mail action:

Tripwire Enterprise 8.7.0 Evaluation Guide 19 Installation & Configuration

Tripwire Enterprise 8.7.0 Evaluation Guide 20 Installation & Configuration

About Elements, Element Versions, and Baselines

An element is a system-created object that represents a single monitored object. An element

Tripwire Enterprise can create two types of element versions:

l A baseline version (or baseline) is an authoritative version of a monitored object.

About Version Checking

Tripwire Enterprise 8.7.0 Evaluation Guide 22 Detecting Changes

Tripwire Enterprise 8.7.0 Evaluation Guide 23 Detecting Changes

To assign an action to a task:

To run tasks manually:

Tripwire Enterprise 8.7.0 Evaluation Guide 24 Detecting Changes

To review the current baselines for a node: