TRIPWIRE®

ENTERPRISE

TRIPWIRE ENTERPRISE 9.0

REFERENCE GUIDE

FOUNDATIONAL CONTROLS FOR

SECURITY, COMPLIANCE & IT OPERATIONS
© 1998-2022 Tripwire, Inc. All rights reserved.

Tripwire is a registered trademark of Tripwire, Inc. Other brand or product names may be trademarks or
registered trademarks of their respective companies or organizations.

Contents of this document are subject to change without notice. Both this document and the software described
in it are licensed subject to Tripwire’s End User License Agreement located at https://www.tripwire.com/legal,
unless a valid license agreement has been signed by your organization and an authorized representative of
Tripwire. This document contains Tripwire confidential information and may be used or copied only in
accordance with the terms of such license.

This product may be protected by one or more patents. For further information, please visit:
https://www.tripwire.com/company/patents.

Tripwire software may contain or be delivered with third-party software components. The license agreements
and notices for the third-party components are available at: https://www.tripwire.com/legal.

Tripwire, Inc.
308 SW Second Ave, Suite 400
Portland, OR 97204

US Toll-free: 1.800.TRIPWIRE
main: 1.503.276.7500
fax: 1.503.223.0182
https://www.tripwire.com
tripwire@tripwire.com
Contents

About This Guide 5

Overview 5
Document List 5
Document Conventions 6
Contact Information 7

Chapter 1. Using the Command Line Interface 8

What is the Command Line Interface? 9
What Can You Do with the CLI? 10
Working with the Command Line Interface 13
Installing the Command Line Interface 13
CLI Command Format and Standards 16
Viewing CLI Online Help 17
Setting Common Options with the CLI 18
Limiting Commands to Specific Nodes and Elements 22
Defining Global and Local Variables with the CLI 26
Baselining Elements with the CLI 27
Checking Nodes for Changes with the CLI 29
Temporarily Disabling and Enabling Version Checks with the CLI 31
Restarting Nodes with the CLI 32
Managing Node Licenses with the CLI 33
Promoting Element Versions with the CLI 35
Promoting by Reference with the CLI 38
Exporting Objects with the CLI 40
Importing Objects with the CLI 43
Deleting Tripwire Enterprise Objects with the CLI 46
Renaming TE Objects with the CLI 48
Running Reports with the CLI 50

Tripwire Enterprise 9.0 Reference Guide 3

 Running a Task with the CLI 54
Running Actions with the CLI 55
Creating TE Users with the CLI 57
Creating Log Messages with the CLI 59
Configuring the Event Generator with the CLI 62
Viewing Tripwire Enterprise License Files with the CLI 64
Setting Custom Property Values with the CLI 65
Creating Launch in Context URLs with the CLI 67
Viewing the Current CLI Version Number 69

Chapter 2. Monitoring AAA Log Messages 70

What is the Tripwire Enterprise AAA Log Monitoring Tool? 71
Working with the Tripwire Enterprise AAA Log Monitoring Tool 72
System Requirements 72
Installing the Tripwire Enterprise AAA Log Monitoring Tool 72
Running the Tripwire Enterprise AAA Log Monitoring Tool 73
Log File Rotation 73
AAA Log Messages that Trigger Version Checks 74
Supported AAA Log Formats 75

Chapter 3. System Properties 76

Tripwire Enterprise Console Configuration Properties 77
Tripwire Enterprise Agent Configuration Properties 87

Chapter 4. Windows RSoP Attributes 94

Windows RSoP Attributes 95

Index 103

Tripwire Enterprise 9.0 Reference Guide 4

About This Guide

Overview
The Tripwire Enterprise Reference Guide includes the following sections:
l Chapter 1: Using the Command Line Interface (on page 8) describes the process for using
the Tripwire Enterprise Command Line Interface and AAA Log Manager tools.
l Chapter 2: Monitoring AAA Log Messages (on page 70) describes the process for
configuring automatic version checks, triggered by AAA log messages.
l Chapter 3: System Properties (on page 76) describes the configuration properties available
in Tripwire Enterprise Console and Tripwire Enterprise Agent.
l Chapter 4: Windows RSoP Attributes (on page 94) describes the Group Policy settings
identified by Tripwire Enterprise Windows RSoP rules.

Document List
The Tripwire Enterprise Installation & Maintenance Guide provides installation and upgrade
instructions for Tripwire Enterprise software. In addition, this guide includes procedures for the
maintenance of your Tripwire Enterprise software and database.

The Tripwire Enterprise User Guide provides a detailed overview of Tripwire Enterprise
functionality, along with related concepts and procedures.

The Tripwire Enterprise Reference Guide contains supplemental information for the operation of
Tripwire Enterprise software and associated applications.

PDF versions of these documents are available:

l on the Downloads page of the Tripwire Customer Center
(https://tripwireinc.force.com/customers)
l in the docs directory of the Tripwire Enterprise installation DVD
l in the TE Console download archive

In addition, online help may be accessed from the Tripwire Enterprise interface. The online help
includes the content of all documents cited above.

Tripwire Enterprise 9.0 Reference Guide 5 About This Guide

Document Conventions
Convention Description
Bolding Indicates:
l The labels of buttons, menus, fields, dropdowns, and check boxes.
l Options selected from a dropdown list or menu.
l Keystrokes and menu paths.
l Introductory sentences for procedures.
l The first reference of a term.
Examples:
l In the Monitor dialog, select the Activate check box.
l Press CTRL+DELETE.

Italics Indicates cross references to sections and chapters in this book, as well as the titles of
other books.

Example: "For more information, see Creating a Node."

Sans Serif Indicates:

l URLs and email addresses
l Directory paths and file names
l Command-line entries
Examples:
l www.tripwire.com
l C:\Program Files\

Brackets Indicates a set of possible user-entered options; individual options are separated by the
pipe ( | ) character.

Example: [ 1 | 2 | 3 ]

Angle brackets Indicates placeholders for user-entered values.

Example: <a_variable>

Tripwire Enterprise 9.0 Reference Guide 6 About This Guide

Contact Information
Tripwire, Inc.

308 SW Second Ave, Suite 400

Portland, OR 97204
Web site: https://www.tripwire.com
Main: 503.276.7500
Fax: 503.223.0182
US Toll-free: 1.800.TRIPWIRE (1.800.874.7947)

Tripwire Sales

Domestic: sales@tripwire.com
Government: govt@tripwire.com
EMEA: emeasales@tripwire.com
APAC: apacsales@tripwire.com
Japan: info@tripwire.co.jp

Tripwire Technical Support

Online support: https://tripwireinc.force.com/customers

Support policies: https://www.tripwire.com/customers/support-policy/
Contact: https://tripwireinc.force.com/customers/contact

Tripwire Professional Services

Tripwire Professional Services provides a wide range of services, including Tripwire

Quickstarts, Turnkey Implementations, Change Auditing, and Process Improvement. For more
information, please visit https://www.tripwire.com/services or contact your Tripwire sales
representative.

Tripwire Educational Services

Tripwire Educational Services provides hands-on technical training for the installation,
configuration, and maintenance of your Tripwire software. All courses are taught by Tripwire
Certified Instructors. For more information, please contact your Tripwire sales representative or
visit https://www.tripwire.com/services/training.

Product Alerts and Notifications

The Tripwire Forums provide an online community where you can ask questions, get help from
other Tripwire users, and find the latest product updates and alerts. Subscribe to the product-alert
channels to receive notifications about important product issues that may affect your
environment. To subscribe, visit https://forums.tripwire.com.

Tripwire Enterprise 9.0 Reference Guide 7 About This Guide

 Chapter 1.
Using the Command Line
Interface
What is the Command Line Interface?
The Command Line Interface (CLI) is a utility that allows you to run Tripwire Enterprise
functions without using the TE interface. Once the CLI has been installed on a system, you can
perform a number of Tripwire Enterprise operations from the command line of the CLI host
machine. To complete an operation, the CLI host machine communicates with the Tripwire
Enterprise Server over a secure network connection.

Note Starting with version 8.4.1, TE Console includes a REST API that supports much
of the same functionality as the CLI. For more information on the new API, see
https://<TE_Console_hostname>/api on your TE Console system.

With the Command Line Interface, you can perform a variety of functions, including:
l Defining global and local variables
l Baselining monitored objects
l Version checking monitored objects
l Promoting element versions to the baseline
l Setting values for custom properties
l Running actions and reports
l Importing XML files containing nodes, rules, or actions
l Creating launch in context URLs

Note The same TE user permissions required to perform a task with the TE interface
are required to perform that task using the CLI. For each command, you must
provide the username and passphrase for a TE user account with sufficient
permissions.

For a list of user permissions associated with each TE procedure, see Appendix
II: User Permissions for Procedures in the Tripwire Enterprise Online Help.

You can also write a customized integration program with the Command Line Interface. A CLI-
scripted program can automatically run a Tripwire Enterprise function when an event occurs in
another application. For example, if a change request is authorized in a change management
system (CMS), an integration program could instruct Tripwire Enterprise to promote the
associated change versions.

The Command Line Interface is language- and platform-independent. Therefore, integration

programs may be written in any programming language supported by the host operating system.

For CLI commands, options, and installation instructions, see Working with the Command Line
Interface on page 13.

Tripwire Enterprise 9.0 Reference Guide 9 Chapter 1. Using the Command Line Interface
What Can You Do with the CLI?
Most CLI commands run standard Tripwire Enterprise functions. Table 1 below defines the
commands supported by the CLI.

For general guidelines in entering commands, options, and arguments, see CLI Command
Format and Standards on page 16.

Note The CLI supports the same wildcard (?*) characters that may be used with
Tripwire Enterprise search functions. For more information, see How Do I Run a
Search? in the Tripwire Enterprise User Guide.

Table 1. Command Line Interface commands

Command Description

baseline This command baselines specified elements.

l For an introduction to baselining, see About Baselines in the Tripwire
Enterprise User Guide.
l To run a baseline command, see Baselining Elements with the CLI on
page 27.

check This command checks specified nodes and elements for changes.
l For a discussion of version checking, see About Version Checks in the
Tripwire Enterprise User Guide.
l To run a check command, see Checking Nodes for Changes with the CLI on
page 29.

configureNode This command can be used to configure audit event collection or real-time
monitoring on Tripwire Enterprise nodes. For more information, see Configuring
EventGenerator the Event Generator with the CLI on page 62.

createLogMessage This command creates Tripwire Enterprise log messages that can be viewed in
the TE Log Manager. To run a createLogMessage command, see Creating Log
Messages with the CLI on page 59.

delete This command deletes specified Tripwire Enterprise objects. To run a delete
command, see Deleting Tripwire Enterprise Objects with the CLI on page 46.

export This command exports specified nodes or rules to an XML file.

l For a discussion of XML files, see How Does Tripwire Enterprise Import an
XML File? in the Tripwire Enterprise User Guide.
l To run an export command, see Exporting Objects with the CLI on
page 40.

getLicenseInfo This command checks the license files associated with a Tripwire Enterprise
installation. To run a getLicenseInfo command, see Viewing Tripwire
Enterprise License Files with the CLI on page 64.

import This command imports the contents of an XML node file or XML rule file to your
Tripwire Enterprise implementation. To run an import command, see Importing
Objects with the CLI on page 43.

Tripwire Enterprise 9.0 Reference Guide 10 Chapter 1. Using the Command Line Interface
 Command Description

licurl This command generates a Launch in Context URL. For more information, see
Creating Launch in Context URLs with the CLI on page 67.

newuser This command creates a new Tripwire Enterprise user account. For more
information, see Creating TE Users with the CLI on page 57.

promote This command promotes the latest version of an element(s) to the baseline.
l For an introduction to promotion, see What is Promotion? in the Tripwire
Enterprise User Guide.
l To run a promote command, see Promoting Element Versions with the CLI
on page 35.

promoteRefNode This command promotes element versions that match versions on a different
node.
l For an introduction to promote by reference, see What is the By-Reference
Selection Method? in the Tripwire Enterprise User Guide.
l To run a promoteRefNode command, see Promoting by Reference with the
CLI on page 38.

report This command compiles output for a Tripwire Enterprise report. As appropriate,
report output may be limited to changes associated with specific nodes or rules.
l For an overview of Tripwire Enterprise reports, see What are Reports and
Report Types? in the Tripwire Enterprise User Guide.
l To run a report command, see Running Reports with the CLI on page 50.

restartAgent This command stops and restarts the TE Agent service for one or more file
server nodes. If needed, you can also refresh the Agent data upon restart. For
more information, see Restarting Nodes with the CLI on page 32.

runaction This command runs one or more Tripwire Enterprise actions.

l For an introduction to actions, see What are Actions and Action Types? in
the Tripwire Enterprise User Guide.
l To run a runaction command, see Running Actions with the CLI on
page 55.

runtask This command runs a Tripwire Enterprise task.

l For an introduction to tasks, see What are Task Types? in the Tripwire
Enterprise User Guide.
l To run a runtask command, see Running a Task with the CLI on page 54.

set This command defines and saves a default argument for a common option.
Common options are options that may be applied to any command.
Common options include:
l The address of a Tripwire Enterprise Server
l Valid Tripwire Enterprise log-on credentials (username and password)
l Locale information
If you set an argument for a common option, and omit the option from a
command, the CLI uses the default argument for the option.

To run a set command, see Setting Common Options with the CLI on page 18.

Tripwire Enterprise 9.0 Reference Guide 11 Chapter 1. Using the Command Line Interface
 Command Description

setcustomproperty This command assigns custom property values to specified nodes, elements, or
element versions.
l For an introduction to custom properties, see What are Custom Properties?
in the Tripwire Enterprise User Guide.
l To run a setcustomproperty command, see Setting Custom Property
Values with the CLI on page 65.

setname This command renames a Tripwire Enterprise object. For more information, see
Renaming TE Objects with the CLI on page 48.

setNodeEnabled This command temporarily suspends version checks or baselines for a node. For
more information, see Temporarily Disabling and Enabling Version Checks with
the CLI on page 31.

variable This command defines or updates a Tripwire Enterprise variable.

l For an introduction to global and local variables, see What are Global and
Local Variables? in the Tripwire Enterprise User Guide.
l To run a variable command, see Defining Global and Local Variables with
the CLI on page 26.

version This command outputs the current version of the Command Line Interface. For
more information, see Viewing the Current CLI Version Number on page 69.

Tripwire Enterprise 9.0 Reference Guide 12 Chapter 1. Using the Command Line Interface
Working with the Command Line Interface

Installing the Command Line Interface

Note To use the CLI, you must install the version of the CLI that was released with
your current Tripwire Enterprise Console software.

To install the CLI on a Windows system:

1. Locate the twtool.zip file in the extras directory of your Tripwire Enterprise installation
files. You can also download twtool.zip from the Downloads > Tripwire Enterprise –
Platforms > Extras section of the Tripwire Customer Center.
2. Unzip the contents of the twtool.zip file to an installation directory.
3. Direct your JAVA_HOME environment variable to a JRE with strong encryption (version 1.8).
For details about obtaining and installing strong encryption, see Obtaining and Installing
the Strong Encryption JRE on page 15.
4. In order to use SSL to secure communication between the CLI and TE Console, you must
export the Console's certificate, then import it into the CLI system's certificate trust store.

Note If you don't want to use SSL certificate validation for communication with
TE Console, you can skip this step. However, you must add the -Q flag to
all CLI commands, or set it as a common option. For more information,
see Setting Common Options with the CLI on page 18.

Use the following commands to export and import the SSL certificate:
keytool -exportcert -file "%TEMP%\te.cert" -alias tomcat
-keystore "%TW_HOME%\data\security\tomcat.ks"
-storepass <services_passphrase> -providername BCFIPS
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-storetype BCFKS -providerpath "%TW_HOME%\lib\ext\bc-fips-*.jar"

keytool -importcert -file "%TEMP%\te.cert" -alias tomcat

-keystore "<twtool_installation_dir>\twtool\lib\cacerts" -storepass changeit

Tripwire Enterprise 9.0 Reference Guide 13 Chapter 1. Using the Command Line Interface
 To install the CLI on a Linux system:
1. Locate the twtool.zip file in the extras directory of your Tripwire Enterprise installation
files. You can also download twtool.zip from the Downloads > Tripwire Enterprise –
Platforms > Extras section of the Tripwire Customer Center.
2. Unzip the contents of the twtool.zip file to an installation directory.
3. On the CLI host system, run the following command:
chmod +x <install_dir>/bin/twtool.sh

4. Direct your JAVA_HOME environment variable to a JRE with strong encryption (version 1.8).
For details about obtaining and installing strong encryption, see Obtaining and Installing
the Strong Encryption JRE on the next page.

5. In order to use SSL to secure communication between the CLI and TE Console, you must
export the Console's certificate, then import it into the CLI system's certificate trust store.

Note If you don't want to use SSL certificate validation for communication with
TE Console, you can skip this step. However, you must add the -Q flag to
all CLI commands, or set it as a common option. For more information,
see Setting Common Options with the CLI on page 18.

Use the following commands to export and import the SSL certificate:
keytool -exportcert -file /tmp/te.cert -alias tomcat
-keystore $TW_HOME/data/security/tomcat.ks
-storepass <services passphrase> -providername BCFIPS
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-storetype BCFKS -providerpath $TW_HOME/lib/ext/bc-fips-*.jar

keytool -importcert -file /tmp/te.cert -alias tomcat

-keystore <twtool_installation_dir>/twtool/lib/cacerts -storepass changeit

Tripwire Enterprise 9.0 Reference Guide 14 Chapter 1. Using the Command Line Interface
Obtaining and Installing the Strong Encryption JRE

Note If JRE 1.8.0_151 or later is used on the TE Console system, it is not necessary to
download and install the JCE as described below. Newer versions of Java use the
unlimited strength policy by default. The JRE files must still be downloaded and
installed as described.

1. Go to the following Java SE Downloads page and download the correct version of the
Java SE 8 JRE installer for your TE Console:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

2. Run the installer, noting the install location.

3. Return to the Java SE Downloads page, and download the Java Cryptography Extension
(JCE) Unlimited Strength Jurisdiction Policy Files 8.
4. Unzip the JCE zip file and locate the two files, local_policy.jar and US_export_
policy.jar.

5. Copy these two files over the files of the same name in the JRE installation which you
created earlier. These files are in the JRE installation in the subdirectory lib/security.
6. Create an environment variable named JAVA_HOME if you don’t already have one.

Tripwire Enterprise 9.0 Reference Guide 15 Chapter 1. Using the Command Line Interface
CLI Command Format and Standards
Once the Command Line Interface has been installed (see Installing the Command Line Interface
on page 13), you can enter commands at the command prompt. When entering a command, use
the following format:

twtool.cmd <command> [-<option> <argument>] ...

where:

<command> is a command that directs the Command Line Interface (CLI) to perform an
operation. Most CLI commands run standard Tripwire Enterprise functions. For a list of
CLI commands, see What Can You Do with the CLI? on page 10.
<option> is a parameter that may be entered with a command. Typically, you enter
multiple options with a single command. Some options control what a command does,
while other options specify which objects are targeted by a command. To learn more
about targeting specific nodes and elements, see Limiting Commands to Specific Nodes
and Elements on page 22.
<argument> is a value assigned to an option. In most cases, only a single argument can be
entered for an option. However, some options may be assigned multiple arguments.

Note In the examples in this chapter, the .cmd extension is used with the twtool
command. However, Linux systems will use twtool.sh.

When entering a command, follow the guidelines below:

l To run twtool, either change directories to the Command Line Interface /bin directory
before entering the command, or begin each command with the complete path to the /bin
directory.
l An unlimited number of options and arguments may be entered with each command.
l Always insert a single space between an option and the option’s argument(s).
l Each option may be entered in long form or short form. The long form of an option is the
entire name of the option, while the short form is an abbreviation. For example, --node is
the long form of the node option, while -n is the short form.
l Several options (Noids, Eoids, NGoids, Roids, RGoids, Aoids, and AGoids) require the entry
of Object Identifiers (OIDs). An Object Identifier is a unique code that Tripwire
Enterprise automatically assigns to an object.

Note OIDs only appear in XML report files and in XML output that is exported
from the TE Console.

l When entering an OID option, you can enter an unlimited number of arguments by
separating each entry with a comma (,). However, only a single argument may be entered
with all other options.

Tripwire Enterprise 9.0 Reference Guide 16 Chapter 1. Using the Command Line Interface
Example

In the following example, the check command applies a single rule (CheckStatus) to check two
nodes for changes (SonOfKong and 24.7.142.212). The options (--node and --rule) are entered in
short form (-n and -r).

twtool.cmd check -n SonOfKong -n 24.7.142.212 -r CheckStatus

where:

check is the command to be executed.

-n and -r are the options to be applied to the command.

SonOfKong and 24.7.142.212 are the arguments for the -n options.

CheckStatus is the argument for the -r option.

Viewing CLI Online Help

To review online help for the Command Line Interface, enter the --help (short form = -h) option
at the command prompt.
l If the --help option is entered with a command (see on page 13), the CLI only displays
help information that applies to the entered command.
l If the --help option is entered by itself (without a command), the CLI displays a list of all
available commands.

Tripwire Enterprise 9.0 Reference Guide 17 Chapter 1. Using the Command Line Interface
Setting Common Options with the CLI
With the set command, a default argument may be defined and saved for each common option.
Once an argument has been set for a common option, you can omit the option from a command.

For definitions of common options, see Table 2 on the next page. This table also identifies the
commands with which each common option may be used.

Note For command descriptions and an introduction to common options, see Working
with the Command Line Interface on page 13.

Guidelines

To define and save a default argument for a common option, enter the set command with the
following format:

twtool.cmd set -<commonOption> <argument>

where:

<commonOption> is a common option (see Table 2).

<argument> is the default value assigned to the common option.

When setting arguments for common options, keep the following considerations in mind:
l If a default argument has been set for a common option, and the option is omitted from a
command, the Command Line Interface uses the default argument when executing the
command.
l If a default argument has been set for a common option, and you manually enter another
argument for the option in the command line, the command line argument takes
precedence.
l If a service, username, or password option does not have a default argument, and the
option is omitted from a command, an error occurs.

Tripwire Enterprise 9.0 Reference Guide 18 Chapter 1. Using the Command Line Interface
 Table 2. Common options

Option
(Short Form/ Applicable
Long Form) Commands Arguments

-s baseline This option provides a URL for the Tripwire Enterprise

--service check Server. URLs should be entered in the following format:
createLogMessage https://<TE_hostname>/twservice/soap
delete
export where <TE_hostname> is the resolvable hostname for the
getLicenseInfo Tripwire Enterprise Server.
import
licenseNode
licurl
promote
promoteRefNode
report
restartAgent
runaction
runtask
setcustomproperty
setNodeEnabled
variable

-u baseline This option specifies the username of an authorized Tripwire

--username check Enterprise user.
createLogMessage
delete
export
getLicenseInfo
import
licenseNode
promote
promoteRefNode
report
restartAgent
runaction
runtask
setcustomproperty
setNodeEnabled
variable

Tripwire Enterprise 9.0 Reference Guide 19 Chapter 1. Using the Command Line Interface
 Option
(Short Form/ Applicable
Long Form) Commands Arguments

-Q baseline This option enables the CLI to connect to the TE Console

--trustAll check without importing the TE Console's certificate into the CLI
system's key store.
Certificates createLogMessage
delete This option is required unless the TE Console's certificate
export has been imported into the CLI's keystore. For more
information, see Installing the Command Line Interface on
getLicenseInfo
page 13
import
licenseNode
licurl
promote
promoteRefNode
report
restartAgent
runaction
runtask
setcustomproperty
setNodeEnabled
variable

-p baseline This option provides the password of an authorized Tripwire

--password check Enterprise user.
createLogMessage
delete
export
getLicenseInfo
import
licenseNode
promote
promoteRefNode
report
restartAgent
runaction
runtask
setcustomproperty
setNodeEnabled
variable

Tripwire Enterprise 9.0 Reference Guide 20 Chapter 1. Using the Command Line Interface
 Option
(Short Form/ Applicable
Long Form) Commands Arguments

-l baseline This option provides the keyname for a locale. Locale

--locale check keynames customize command input and output for a
particular geographical, political, or cultural region. Locale
createLogMessage keynames include both language codes (lowercase) and
delete country codes.
export
Format
getLicenseInfo
import -l <language_code>_<country_code>
licenseNode
promote Example
promoteRefNode
-l en_US
report
restartAgent For a list of language codes, see:
runaction
http://www.oasis-open.org/cover/iso639a.html
runtask
setcustomproperty For a list of country codes, see:
setNodeEnabled
http://userpage.chemie.fu-berlin.de/diverse/doc/
variable
ISO_3166.html

-q baseline This option suppresses text content from standard output

--quiet check and standard error streams. With this option, success and
failure may be detected by the command’s return value.
createLogMessage
delete
export
getLicenseInfo
import
licenseNode
licurl
promote
promoteRefNode
report
restartAgent
runaction
runtask
setcustomproperty
setNodeEnabled
variable

Tripwire Enterprise 9.0 Reference Guide 21 Chapter 1. Using the Command Line Interface
Limiting Commands to Specific Nodes and Elements
With most commands, you can specify the nodes and elements on which the command will run.
For definitions of the options used to limit a command to specific nodes and elements, see Table
3 on page 24. This table also identifies the commands with which each option may be used.
Applicable commands include:
l baseline (see Baselining Elements with the CLI on page 27)

l check (see Checking Nodes for Changes with the CLI on page 29)

l createLogMessage (see Creating Log Messages with the CLI on page 59)

l delete (see Deleting Tripwire Enterprise Objects with the CLI on page 46)

l export (see Exporting Objects with the CLI on page 40)

l licenseNode (see Managing Node Licenses with the CLI on page 33)

l promote (see Promoting Element Versions with the CLI on page 35)

l promoteRefNode (see Promoting by Reference with the CLI on page 38)

l report (see Running Reports with the CLI on page 50)

l restartAgent (see Restarting Nodes with the CLI on page 32)

l runaction (see Running Actions with the CLI on page 55)

l setcustomproperty (see Setting Custom Property Values with the CLI on page 65)

l setNodeEnabled (see Temporarily Disabling and Enabling Version Checks with the CLI
on page 31)
l variable (see Defining Global and Local Variables with the CLI on page 26)

Guidelines

These guidelines describe behavior for options that specify node groups, nodes, and elements.
l If you only enter a node group option in a command (nodeGroup or NGoids), the CLI runs
the command on all nodes in the specified node group.
l If you enter a node option (node or Noids) and a node group option (nodeGroup or NGoids)
in a command, the CLI searches the node group recursively for the specified node. If the
node group contains the specified node, the operation runs on that node only. Otherwise,
no action is taken.

Note This guideline does not apply to the report command. If you enter a node
option and node group option with a report command, the report will
generate data for all specified nodes (even if the entered node group does
not contain the specified node).

Tripwire Enterprise 9.0 Reference Guide 22 Chapter 1. Using the Command Line Interface
 l If you only enter a node option (node or Noids) in a command, the CLI runs the operation
on the specified node only.
l If you enter a node option (node or Noids) and an element option (element or Eoids) in a
command, the CLI searches the node(s) recursively for the specified element(s). If a node
contains a specified element, the operation runs on that element only. Otherwise, no action
is taken.

Example

In the following example, the check command uses a single rule (CheckStatus) to check a node
(SonOfKong) in a particular node group (Routers). The options (--nodeGroup, --node, and --rule)
are entered in short form (-w, -n, and -r).

twtool.cmd check -w Routers -n SonOfKong -r CheckStatus

where:

check is the command to be executed.

-w, -n, and -r are the options to be applied to the command.

Routers is the argument for the -w option.

SonOfKong is the argument for the -n option.

CheckStatus is the argument for the -r option.

With this command format, the CLI only runs the check operation if the Routers node group
contains a node named SonOfKong. If the Routers node group does not contain SonOfKong, or if
SonOfKong exists in a different node group, the CLI will not run a check.

Tripwire Enterprise 9.0 Reference Guide 23 Chapter 1. Using the Command Line Interface
 Table 3. Options used to specify node groups, nodes, and elements

Option
(Short Form/ Applicable
Long Form) Commands Arguments

-n baseline This option specifies the IP address or resolvable hostname

--node check of a single node. Entry of an IP address will specify all
systems to which the IP address is assigned.
createLogMessage
delete For faster, more precise command execution, Tripwire
export recommends the use of resolvable hostnames with this
option.
licenseNode
licurl
promote
promoteRefNode
report
restartAgent
runaction
setcustomproperty
setNodeEnabled
variable

-N baseline This option specifies the Object Identifiers (OIDs) for one or
--Noids check more nodes.
createLogMessage
delete
export
licenseNode
promote
promoteRefNode
report
restartAgent
runaction
setcustomproperty
setNodeEnabled
variable

-e baseline Used only in conjunction with the --node option or --Noids

--element check option, the --element option specifies the name of a single
createLogMessage element.
delete
If an element is a file or directory, the full path must be
promote provided. For example:
runaction
setcustomproperty -e C:\win\sys.txt (Windows)
setNodeEnabled
-e /etc/sys.txt (Linux)

Tripwire Enterprise 9.0 Reference Guide 24 Chapter 1. Using the Command Line Interface
 Option
(Short Form/ Applicable
Long Form) Commands Arguments

-E baseline Used only in conjunction with the --node option or --Noids

--Eoids check option, the --Eoids option specifies the Object Identifiers
createLogMessage (OIDs) for one or more elements.
delete
promote
runaction
setcustomproperty
setNodeEnabled

-w baseline This option specifies the name of a single node group. The
--nodeGroup check name of a node group should be entered exactly as it
appears in Tripwire Enterprise.
createLogMessage
delete
export
licenseNode
promote
promoteRefNode
report
restartAgent
runaction
setcustomproperty
setNodeEnabled
variable

-W baseline This option specifies the Object Identifiers (OIDs) for one or
--NGoids check more node groups.
createLogMessage
delete
export
licenseNode
promote
promoteRefNode
report
restartAgent
runaction
setcustomproperty
setNodeEnabled
variable

Tripwire Enterprise 9.0 Reference Guide 25 Chapter 1. Using the Command Line Interface
Defining Global and Local Variables with the CLI
With the variable command, you can:
l Create a new global or local variable
l Update the assigned value for an existing global or local variable

Global variables include text variables and password variables. For an introduction to Tripwire
Enterprise variables, see What are Global and Local Variables? in the Tripwire Enterprise User
Guide.

Guidelines

The options and guidelines in the following sections apply to the variable command:
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 4 on the next page defines additional options that may be applied to a variable command.
l The varname and varvalue options are required.
l To create a local variable, you must enter at least one node option or Noids option.

Example

Input
twtool.cmd variable -P -v NetPass -V dune*buggy -d "The global Network
Password variable"

Output
variable: 1 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 26 Chapter 1. Using the Command Line Interface
 Table 4. variable command options

Option
(Short Form/
Long Form) Arguments

-v This option defines a name for the variable.

--varname

-V This option assigns a value to the variable.

--varvalue

-d This option provides a description of the variable.

--description

-P This option indicates that the variable is a password variable.

--isPassword

Baselining Elements with the CLI

To create up-to-date baselines for one or more elements, you can run the baseline command. As
needed, you may baseline an entire node group, individual nodes, or specific elements.

Guidelines

The options and guidelines in the following sections apply to the baseline command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 5 on the next page defines additional options that may be applied to a baseline command.
l You must enter at least one node option (node or Noids) or node group option (nodeGroup
or NGoids) with a baseline command.
l You should enter at least one rule option (rule or Roids) or rule group option (ruleGroup
or RGoids) with a baseline command. If you omit these options, the CLI will baseline the
specified elements with all rules in your Tripwire Enterprise implementation.

Tripwire Enterprise 9.0 Reference Guide 27 Chapter 1. Using the Command Line Interface
Example

Input
twtool.cmd baseline -n testNode -r ruleName

Output
baseline: 10 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Table 5. baseline command options

Option
(Short Form/
Long Form) Arguments

-r This option specifies the name of a rule to be used in the baseline operation. Each rule
--rule name should be entered exactly as it appears in Tripwire Enterprise.

-R This option specifies the Object Identifiers (OIDs) for one or more rules to be used in the
--Roids baseline operation.

-x This option specifies the name of a rule group to be used in the baseline operation. Each
--ruleGroup rule group name should be entered exactly as it appears in Tripwire Enterprise.

-X This option specifies the Object Identifiers (OIDs) for one or more rule groups to be
--RGoids used in the baseline operation.

-P This option indicates a node or node group to be omitted from the baseline operation. If
--preserve the preserve option is entered with a baseline command, the CLI does not create a
new baseline for any element that already has a baseline.

Tripwire Enterprise 9.0 Reference Guide 28 Chapter 1. Using the Command Line Interface
Checking Nodes for Changes with the CLI
To check nodes for changes, the check command applies one or more rules to specified
elements. As appropriate, entire node groups, individual nodes, or specific elements may be
checked for changes.

Guidelines

The options and guidelines in the following sections apply to the check command:
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 6 on the next page defines additional options that may be applied to a check command.
l You should enter at least one node option (node or Noids) or node group option
(nodeGroup or NGoids) with a check command. If you omit these options, the CLI will run
the check on all monitored nodes and elements.
l You should enter a single rule option (rule or Roids) or a single rule group option
(ruleGroup or RGoids) with a check command. If you omit one of these options, the CLI
will check the specified elements with all rules in your Tripwire Enterprise
implementation.

Example

Input
twtool.cmd check -u administrator -p password -w CiscoNodes -x CiscoRules

Output
check: 22 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 29 Chapter 1. Using the Command Line Interface
 Table 6. check command options

Option
(Short Form/
Long Form) Arguments

-r This option specifies the name of a rule to be used in the check operation. The rule
--rule name should be entered exactly as it appears in Tripwire Enterprise.

-R This option specifies the Object Identifier (OID) for a rule to be used in the check
--Roids operation.

-x This option specifies the name of a rule group to be used in the check operation. The
--ruleGroup rule group name should be entered exactly as it appears in Tripwire Enterprise.

-X This option specifies the Object Identifier (OID) for a rule group to be used in the check
--RGoids operation.

Tripwire Enterprise 9.0 Reference Guide 30 Chapter 1. Using the Command Line Interface
Temporarily Disabling and Enabling Version Checks with the CLI
The setNodeEnabled command temporarily suspends version checks or baselines for a node
without affecting the other nodes in the group. For example, if you take a system offline for
maintenance, you should first disable that node to prevent TE from reporting a connection error.
When you re-enable a disabled node, version checks and baselines resume normally.

Guidelines

The options and guidelines in the following sections apply to the setNodeEnabled command:
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 7 below describes the --enable option that must be applied to a setNodeEnabled command
using either a true or false argument.

Enter at least one node option (node or Noids) or node group option (nodeGroup or NGoids) with
the setNodeEnabled command to specify the node(s) you want to disable or enable.

Example

Input
twtool.cmd setNodeEnabled -u administrator -p password --enable false
--node BadNode

Output
Node(s) was disabled.

Table 7. setNodeEnabled command options

Option
(Short Form/
Long Form) Arguments

-e With the true argument, the specified nodes will be enabled.

--enable
With the false argument, the specified nodes will be disabled.

Tripwire Enterprise 9.0 Reference Guide 31 Chapter 1. Using the Command Line Interface
Restarting Nodes with the CLI
The restartAgent command stops and restarts the TE Agent service for one or more file server
nodes. If needed, you can also refresh the Agent data upon restart. Data refresh synchronizes the
local TE Agent database with the Tripwire Enterprise Console database.

Note Restarting Agents only affects Tripwire Enterprise Agents. It does not have any
affect on nodes with Tripwire Axon Agent installed or on network device nodes.

Guidelines

The options and guidelines in the following sections apply to the restartAgent command:
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 8 below describes the --refreshData option that may be applied to a restartAgent
command.

Enter at least one node option (node or Noids) or node group option (nodeGroup or NGoids) with
the restartAgent command.

Example

Input
twtool.cmd restartAgent -u administrator -p password --node BadNode

Output
A request to restart these nodes has been made.

Table 8. restartAgent command options

Option
(Short Form/
Long Form) Arguments

-r If this option is specified, the Agent data on the specified nodes is refreshed to
--refreshData synchronize the TE Agent database with the TE Console database.

Tripwire Enterprise 9.0 Reference Guide 32 Chapter 1. Using the Command Line Interface
Managing Node Licenses with the CLI
With the licenseNode command, you can enable or disables licenses on Tripwire Enterprise
nodes. For more information about licenses, see About Tripwire Enterprise Licenses in the
Tripwire Enterprise User Guide.

Guidelines

The options and guidelines in the following sections apply to the licenseNode command:
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 9 on the next page defines additional options that may be applied to a licenseNode
command..

Enter at least one node option (node or Noids) or node group option (nodeGroup or NGoids) with
the licenseNode command.

Examples

Input
twtool.cmd licenseNode --node acme.example.com --changeAudit true

Output of Successful Operation

Licensing feature was successful on:
Node Identity: '-1y2p0ij32e7sn:-1y2p0ij320ul2' Name: 'acme.example.com'

Output of Unsuccessful Operation

Licensing feature failed on:
Node Identity: '-1y2p0ij32e7sn:-1y2p0ij320ul2' Name: 'acme.example.com'
Reason: 'A license for the feature "File System Monitoring" is unavailable.'

Tripwire Enterprise 9.0 Reference Guide 33 Chapter 1. Using the Command Line Interface
 Table 9. licenseNode command options

Option
(Short Form/
Long Form) Arguments

-a If set to true, the Change Audit license is enabled for the specified nodes.
--changeAudit
If set to false, the Change Audit license is disabled for the specified nodes. For
more information, see About Tripwire Enterprise Licenses in the Tripwire Enterprise
User Guide.

-c If set to true, the Configuration Assessment license is enabled for the specified
--configAssess nodes.

If set to false, the Configuration Assessment license is disabled for the specified
nodes. This will also disable Automated Remediation licenses on these nodes. For
more information, see About Tripwire Enterprise Licenses in the Tripwire Enterprise
User Guide.

-r If set to true, the Automated Remediation license is enabled for the specified
--remediation nodes. To successfully enable automated remediation, a Configuration Assessment
license must also be enabled for the node.

If set to false, the Automated Remediation license is disabled for the specified
nodes. For more information, see About Tripwire Enterprise Licenses in the Tripwire
Enterprise User Guide.

Tripwire Enterprise 9.0 Reference Guide 34 Chapter 1. Using the Command Line Interface
Promoting Element Versions with the CLI
The promote command promotes specified current change versions to the baseline. You can
either promote specific versions, or all current change versions associated with a specified node
or node group. If the current version of an element is a baseline, no action is taken.

If desired, you can also promote element versions with the by-match selection method (also
known as promote-by-match). With promote-by-match, the CLI will only promote element
versions that meet the criteria specified by a matching strategy.

For more information about promotions and the by-match selection method, see What is the By-
Match Selection Method? in the Tripwire Enterprise User Guide.

Caution The rule-name strategy can result in the unwanted promotion of a great
number of elements.

Guidelines

The options and guidelines in the following sections apply to the promote command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 10 on the next page defines additional options that may be applied to a promote command.
l The comment option is always required.
l You should enter at least one node option (node or Noids) or node group option
(nodeGroup or NGoids) with a promote command.
l To promote a specific current change version(s), enter an element option (element or
Eoids) with a node option (node or Noids).

l A promote-by-match cannot be run with the element option or Eoids option.

l To run a promote-by-match, you must enter a type option and file option.

Results

When a promote operation finishes, the CLI displays the total number of element versions that
were promoted.

If a promote-by-match is run with the outputFile option, the CLI generates an XML
discrepancy report that identifies any discrepancies. For descriptions of discrepancies, see What
is the By-Match Selection Method? in the Tripwire Enterprise User Guide.

Tripwire Enterprise 9.0 Reference Guide 35 Chapter 1. Using the Command Line Interface
Example

Input
twtool.cmd promote -n testNode2 -t e -f /apps/dcr-hkbh4.xml
-o apps/junk2.txt -c “Promoting per Approval ID 3572”

Output
promote: 1 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Table 10. promote command options

Option
(Short Form/
Long Form) Arguments

-c This option assigns a comment to each new baseline version created by the promotion.
--comment

-i This option assigns an Approval ID to each new baseline version created by the
--idref promotion.

-t (Promote-by-match only) This option indicates the type of matching strategy:

--type
e = element name

h = element name and hash value

r = rule name

-f (Promote-by-match only) This option provides the name and path of the match file (a
--file Detailed Changes Report or a text file). For guidance in creating a text file, see Creating
a Text-Match File on the next page.

Note: For the rule-names (r) type option, file entries are case insensitive.

-o (Promote-by-match only) To create an XML discrepancy report, enter a name and path
--outputFile for the report with this option.
If this option is not entered, the CLI lists the discrepancies in standard output.

Tripwire Enterprise 9.0 Reference Guide 36 Chapter 1. Using the Command Line Interface
Creating a Text-Match File

‘Text-match file’ is another term for a text file used as the match file in an operation run with
the by-match selection method; for instance, a promote-by-match operation (see Promoting
Element Versions with the CLI on page 35). To create a text-match file for the element-name or
rule-name matching strategies, follow these guidelines:
l Enter a single element or rule name on each line in the file.
l To insert a comment, enter the # symbol at the beginning of a line.

With the element-name strategy, you can insert the following wildcard characters in any element
name in a text-match file:

? = any single character

* = any number of characters, including zero

When creating a text-match file for the element-name and hash-value matching strategy, each
entry consists of lines identified in Table 11. If a current change version matches each of the
values specified by lines in an entry, TE runs the applicable operation.

For example, if an entry consists of the following lines ...

NAME:/etc/profile
TYPE:1
MD5:fad3b8ffdd172559eb8d8dc75cb9ba2d

... TE will run the operation if a current version represents a newly created monitored object that
has a name of /etc/profile and an MD5 hash of fad3b8ffdd172559eb8d8dc75cb9ba2d.

Table 11. Lines in an entry in a text-match file used with the

element-name and hash-value matching strategy

Line Required? Specifies ...

NAME Yes ... the name of an element.

TYPE Yes ... the type of change represented by a current version.

1 indicates the addition or creation of a new monitored

object.

2 indicates a modification in an existing object.

3 indicates the removal or deletion of an object.

MD5 No ... an MD5 hash value.

SHA or No ... an SHA-1 hash value.

SHA-1

SHA-256 No ... an SHA-256 hash value.

SHA-512 No ... an SHA-512 hash value.

Tripwire Enterprise 9.0 Reference Guide 37 Chapter 1. Using the Command Line Interface
Promoting by Reference with the CLI
The promoteRefNode command runs a promote-by-reference operation. For more information
about this type of promotion, see What is the By-Reference Selection Method? in the Tripwire
Enterprise User Guide.

Guidelines

The options and guidelines in the following sections apply to the promoteRefNode command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 12 on the next page defines additional options that may be applied to a promoteRefNode
command.
l The comment option is always required.
l To specify the reference node, you must enter the -z or -Z option.
l To specify the target node(s), you must enter at least one node option (node or Noids) or
node group option (nodeGroup or NGoids).

Results

When a promote-by-reference operation finishes, the CLI indicates whether or not the promote
operation completed successfully.

Example

Input
twtool.cmd promoteRefNode -n Node1 -r myRule -z Node2

Output
promoteRefNode: 1 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 38 Chapter 1. Using the Command Line Interface
 Table 12. promoteRefNode command options

Option
(Short Form/
Long Form) Arguments

-r This option specifies the name of a rule to be used in the promote-by-

--rule reference operation. Enter each rule name exactly as it appears in
Tripwire Enterprise.

-R This option specifies the Object Identifiers (OIDs) for one or more
--Roids rules to be used in the promote-by-reference operation.

-c This option assigns a comment to each new element version created

--comment by the command.

-i This option assigns an Approval ID to each element version created by

--idref the command.

-z This option specifies the name or IP address of the reference node.

--referenceNode

-Z This option specifies the Object Identifier of the reference node.

--referenceNodeOid

-b If set to yes, element versions are only promoted if they match the
--useCurrentBaselinesOnly current baseline for the corresponding element on the reference
node.
If set to no (the default) element versions are promoted if they match
any baseline for the corresponding element on the reference node.

-t Specify a hash type to use with this promote operation. The possible
--hashType values are:
l MD5
l SHA-1
l SHA-256
l SHA-512

Tripwire Enterprise 9.0 Reference Guide 39 Chapter 1. Using the Command Line Interface
Exporting Objects with the CLI
With the export command, you can export a variety of Tripwire Enterprise objects to an XML
file.

Note Use the import command (see Importing Objects with the CLI on page 43) to
import the contents of an XML file to any Tripwire Enterprise implementation.

Guidelines

The options and guidelines in the following sections apply to the export command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 13 below defines additional options that may be applied to an export command.
l The outputFile option is required.
l Use the other options to specify the objects that TE should export.

Example

Input
twtool.cmd export -u administrator -o C:\cisconodes.xml -w "CiscoNodes"

Output
export: 8 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Table 13. export command options

Option
(Short Form/
Long Form) Arguments

-o This option defines the name and path of the XML file to which the
--outputFile objects will be exported.

-a This option specifies the name of an action to be exported. Each

--action action name should be entered exactly as it appears in Tripwire
Enterprise.

-A This option specifies the Object Identifiers (OIDs) for one or more
--Aoids actions to be exported.

Tripwire Enterprise 9.0 Reference Guide 40 Chapter 1. Using the Command Line Interface
 Option
(Short Form/
Long Form) Arguments

-b This option specifies the name of one or more home pages to be

--homepages exported. Each home page name should be entered exactly as it
appears in Tripwire Enterprise.

-B This option specifies the Object Identifiers (OIDs) for one or more
--HPoids home pages to be exported.

-c This option specifies the name of a policy test to be exported. Each

--policyTest policy test name should be entered exactly as it appears in Tripwire
Enterprise.

-C This option specifies the Object Identifiers (OIDs) for one or more
--Poids policy tests to be exported.

-g This option specifies the name of a report group to be exported. Each

--reportGroup report group name should be entered exactly as it appears in Tripwire
Enterprise.

-G This option specifies the Object Identifiers (OIDs) for one or more
--Regoids report groups to be exported.

-i This option specifies that the Tripwire Enterprise Console settings

--settings should be exported.

-j This option specifies the name of a report to be exported. Each report

--report name should be entered exactly as it appears in Tripwire Enterprise.

-J This option specifies the Object Identifiers (OIDs) for one or more
--reoids reports to be exported.

-k This option specifies the name of a task group to be exported. Each

--taskGroup task group name should be entered exactly as it appears in Tripwire
Enterprise.

-K This option specifies the Object Identifiers (OIDs) for one or more
--TGoids task groups to be exported.

-m This option specifies the name of a post-remediation service

--postRemediationCommands command to be exported. Each post-remediation service command
name should be entered exactly as it appears in Tripwire Enterprise.

-M This option specifies the Object Identifiers (OIDs) for one or more
--PRCoids post-remediation service commands to be exported.

-r This option specifies the name of a rule to be exported. Each rule

--rule name should be entered exactly as it appears in Tripwire Enterprise.

-R This option specifies the Object Identifiers (OIDs) for one or more
--Roids rules to be exported.

-t This option specifies the name of a task to be exported. Each task

--task name should be entered exactly as it appears in Tripwire Enterprise.

-T This option specifies the Object Identifiers (OIDs) for one or more
--Toids tasks to be exported.

Tripwire Enterprise 9.0 Reference Guide 41 Chapter 1. Using the Command Line Interface
 Option
(Short Form/
Long Form) Arguments

-v This option exports all log messages from the TE Console.

--logmessages

-x This option specifies the name of a rule group to be exported. Each

--ruleGroup rule group name should be entered exactly as it appears in Tripwire
Enterprise.

-X This option specifies the Object Identifiers (OIDs) for one or more rule
--RGoids groups to be exported.

-y This option specifies the name of an action group to be exported. Each

--actionGroup action group name should be entered exactly as it appears in Tripwire
Enterprise.

-Y This option specifies the Object Identifiers (OIDs) for one or more
--AGoids action groups to be exported.

-z This option specifies the name of a policy test group to be exported.

--policyTestGroup Each policy test group name should be entered exactly as it appears in
Tripwire Enterprise.

-Z This option specifies the Object Identifiers (OIDs) for one or more
--PGoids policy test groups to be exported.

Tripwire Enterprise 9.0 Reference Guide 42 Chapter 1. Using the Command Line Interface
Importing Objects with the CLI
With the import command, you can import the contents of an XML file containing various
TE objects.

Guidelines

The options and guidelines in the following sections apply to the import command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18

Table 14 on the next page defines additional options that may be applied to an import command.
l The type and file options are required.
l Use the optional handleConflicts option to specify how TE should handle import
conflicts, which represent a discrepancy between the content of an imported XML file and
the destination group.
l Use the optional dontOverwriteWeights option to preserve existing policy weights when
importing policy objects to a TE system.
l Use the other options to specify a group into which TE will import the contents of the
XML file. Without one of these options, TE will import the file's contents into the Root
Group for that object type.

Example

Input
twtool.cmd import -u administrator -t n -w "CiscoNodes" -f cisconodes.xml

Output
import: 11 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

If the import process encounters conflicts, the OID and name of the conflicting object are listed
in the output, along with the type of conflict. For more information, see What are Import
Conflicts? in the Tripwire Enterprise User Guide.

Tripwire Enterprise 9.0 Reference Guide 43 Chapter 1. Using the Command Line Interface
 Table 14. import command options

Option
(Short Form/
Long Form) Arguments

-t This option specifies the type of objects in the XML file to be imported.
--type
a or action = actions and/or action groups

b or homepages = homepages

i or settings = TE Console settings

j or report = reports and/or report groups

m or postremediation = post-remediation service commands

n or node = nodes and/or node groups

p or policy = policy tests and/or groups

r or rule = rules and/or rule groups

t or task = tasks and/or task groups

v or logmessage = log messages

-f This option identifies the name and path of the XML file to be imported.
--file

--handleConflicts Determines how Tripwire Enterprise handles import conflicts, a

discrepancy between the content of an imported XML file and the
destination group. For more information, see What are Import Conflicts?
in the Tripwire Enterprise User Guide.
l If set to useValuesFromImport, TE will retain the current data in TE
and import all other non-conflicting data.
l If set to useCurrentValues, TE will override the current data with
the data in the XML file.

Note: The = character must be used with this option, so the complete
form of the option is --handleConflicts=useValuesFromImport or --
handleConflicts=useCurrentValues.

-o If this option is specified, TE will not overwrite exiting weights for policies
--dontOverwriteWeights that it imports.

-g This option specifies the name of a report group to which the contents of
--reportGroup an XML node file will be imported. The name of a report group should be
entered exactly as it appears in Tripwire Enterprise.

-G This option specifies the Object Identifier (OID) for a report group to
--Regoids which the contents of an XML node file will be imported.

-k This option specifies the name of a task group to which the contents of an
--taskGroup XML node file will be imported. The name of a task group should be
entered exactly as it appears in Tripwire Enterprise.

Tripwire Enterprise 9.0 Reference Guide 44 Chapter 1. Using the Command Line Interface
 Option
(Short Form/
Long Form) Arguments

-K This option specifies the Object Identifier (OID) for a task group to which
--TGoids the contents of an XML node file will be imported.

-w This option specifies the name of a node group to which the contents of
--nodeGroup an XML node file will be imported. The name of a node group should be
entered exactly as it appears in Tripwire Enterprise.

-W This option specifies the Object Identifier (OID) for a node group to which
--NGoids the contents of an XML node file will be imported.

-x This option specifies the name of a rule group to which the contents of an
--ruleGroup XML rule file will be imported. Each rule group name should be entered
exactly as it appears in Tripwire Enterprise.

-X This option specifies the Object Identifier (OID) for a rule group to which
--RGoids the contents of an XML rule file will be imported.

-y This option specifies the name of an action group to which the contents of
--actionGroup an XML action file will be imported. Each action group name should be
entered exactly as it appears in Tripwire Enterprise.

-Y This option specifies the Object Identifier (OID) for an action group to
--AGoids which the contents of an XML action file will be imported.

-z This option specifies the name of a policy test group to which the contents
--policyTestGroup of an XML policy file will be imported. Each policy test group name should
be entered exactly as it appears in Tripwire Enterprise.

-Z This option specifies the Object Identifier (OID) for a policy test group to
--PGoids which the contents of an XML policy file will be imported.

Tripwire Enterprise 9.0 Reference Guide 45 Chapter 1. Using the Command Line Interface
Deleting Tripwire Enterprise Objects with the CLI
The delete command can be used to delete actions, action groups, elements, nodes, node groups,
policy tests, policy test groups, rules, and rule groups.

Guidelines

The options and guidelines in the following sections apply to the delete command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22
l Table 15 on the next page defines additional options that can be entered to indicate TE
objects to be deleted.

Note One or more values may be entered with each option defined in Table 15. For
example, you can enter one or more action OIDs with the Aoids option.

Results

When a delete operation finishes, the CLI indicates if the specified deletions were successful.

Example

Input
twtool.cmd delete -n mynode

Output
delete: 1 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 46 Chapter 1. Using the Command Line Interface
 Table 15. delete command options

Option
(Short Form/
Long Form) Arguments

-a Specifies the name of an action to be deleted.

--action

-A Specifies the Object Identifier (OID) of an action to be deleted.

--Aoids

-y Specifies the name of an action group to be deleted.

--actionGroup

-Y Specifies the OID of an action group to be deleted.

--AGoids

-c Specifies the name of a policy test to be deleted.

--policyTest

-C Specifies the OID of a policy test to be deleted.

--Poids

-z Specifies the name of a policy test group to be deleted.

--policyTestGroup

-Z Specifies the OID of a policy test group to be deleted.

--PGoids

-r Specifies the name of a rule to be deleted.

--rule

-R Specifies the OID of a rule to be deleted.

--Roids

-x Specifies the name of a rule group to be deleted.

--ruleGroup

-X Specifies the OID of a rule group to be deleted.

--RGoids

Tripwire Enterprise 9.0 Reference Guide 47 Chapter 1. Using the Command Line Interface
Renaming TE Objects with the CLI
The setName command can be used to rename any Tripwire Enterprise object that can be
renamed.

Guidelines

The options and guidelines in the following sections apply to the setName command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18

Table 16 on the next page defines additional options that may be applied to a setName command.
l The newName option is required.
l Either an oldName and type or an objectOid is required.

Results

When the renaming operation is complete, the CLI indicates whether or not it completed
successfully.

Example

Input
twtool.sh setName --oldName "Old Nodes" --type nodeGroup --newName "New Improved
Nodes"

Output
setName: 1 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 48 Chapter 1. Using the Command Line Interface
 Table 16. setName command options

Option
(Short Form/
Long Form) Arguments

-i The old name for the Tripwire Enterprise object to be renamed.

--oldName

-t The type of object to be renamed. Valid arguments for this option are:
--type l node
l nodeGroup
l policyTest
l policyTestGroup
l rule
l ruleGroup
l task
l taskGroup
l report
l reportGroup
l variable
l action
l actionGroup
l homepage
l postRemediation
l userGroup
l role

-o The Object Identifier (OID) for the object to be renamed.

--objectOid

-n The new name for the object.

--newName

Tripwire Enterprise 9.0 Reference Guide 49 Chapter 1. Using the Command Line Interface
Running Reports with the CLI
With the report command, you can complete either of the following operations:
l Create and save a new report without generating output.
l Compile output for a Tripwire Enterprise report. As appropriate, report output may be
limited to data associated with specific nodes and/or rules.

Guidelines

The options and guidelines in the following sections apply to the report command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 17 on the next page defines additional options that may be applied to a report command.

To create and save a new report, the create, title, and type options are required.
To run an existing TE report, enter only the title option. TE will search for an existing
report based on the title and run that report.
To run an ad hoc report, enter both the title and type options. TE will generate a new
report of the specified type with the specified title. Note that an ad hoc report can have the
same title as an existing report, and this title cannot be used to identify and run the ad
hoc report in the future. If you want to create a repeatable report, you should use the
create option as discussed above.

For all reports:

l The node option or Noids option is required.
l If you enter multiple node options (node or Noids) and/or node group options
(nodeGroup or NGoids), the CLI will compile report data for all specified nodes.

Example 1: Creating and Saving a New Report

Input
twtool.cmd report -t detailedchanges_rpt -T Report1 -c

Output
None.

Tripwire Enterprise 9.0 Reference Guide 50 Chapter 1. Using the Command Line Interface
Example 2: Compiling Output for a Report

Input
twtool.cmd report -n SonofKong -t detailedchanges_rpt
-T "My Change Report" -outputFile apps\junk.xml -F XML

Output
The report was written to: apps\junk.xml

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Table 17. report command options

Option
(Short Form/
Long Form) Arguments

-c This option specifies the name of a new report to be created and saved in the system.
--create

-r This option specifies the name of a rule. Rule names should be entered exactly as they
--rule appear in Tripwire Enterprise.

-R This option specifies the Object Identifiers (OIDs) for one or more rules.
--Roids

-x This option provides the name of a rule group. Rule group names should be entered
--ruleGroup exactly as they appear in Tripwire Enterprise.

-X This option specifies the Object Identifiers (OIDs) for one or more rule groups.
--RGoids

-T This option specifies the title of a new or existing report.

--Title

-o To save report output in an XML or PDF file, enter a name and path for the file with this
--outputFile option.

-F This option indicates the appropriate format for a generated report file.
--Format
XML

HTML

PDF

This option is required if you enter the --outputFile option.

Tripwire Enterprise 9.0 Reference Guide 51 Chapter 1. Using the Command Line Interface
 Option
(Short Form/
Long Form) Arguments

-t This option provides the template name of the report type to be run. For report type
--type definitions, see What are Reports and Report Types? in the Tripwire Enterprise User
Guide.

baselineelements_rpt = Baseline Elements Report

changedelements_rpt = Changed Elements Report

changeprocesscompliance_rpt = Change Process Compliance Report

changerate_rpt = Change Rate Report

changesbynodeorgroup_rpt = Changes by Node or Group Report

changesbyseverity_rpt = Changes by Severity Report

changevariance_rpt = Change Variance Report

changewindow_rpt = Change Window Report

compliancehistory_rpt = Compliance History Report

changesbyruleorgroup_rpt = Changes by Rule or Group Report

compositechanges_rpt = Composite Change Report

detailedchanges_rpt = Detailed Changes Report

detailedtestinventory_rpt = Detailed Test Inventory Report

detailedtestresults_rpt = Detailed Test Results Report

detailedwaivers_rpt = Detailed Waivers Report

deviceinventory_rpt = Device Inventory Report

element_contents_rpt = Element Contents Report

elements_rpt = Elements Report

frequentlychangedelements_rpt = Frequently Changed Elements Report

freqchangednodes_rpt = Frequently Changed Nodes Report

inventorychange_rpt = Inventory Changes Report

lastnodecheckstatus_rpt = Last Node Check Status Report

missingelements_rpt = Missing Elements Report

monitoringpolicy_rpt = Monitoring Policy Report

nodeswithchanges_rpt = Nodes with Changes Report

policyscorecard_rpt = Test Result Summary Report

remediationassessment_rpt = Remediation Assessment Report*

Tripwire Enterprise 9.0 Reference Guide 52 Chapter 1. Using the Command Line Interface
 Option
(Short Form/
Long Form) Arguments

remediationworkorders_rpt = Remediation Work Orders Details Report*

remediationworkordersummary_rpt = Remediation Work Orders Summary

Report*

referencenodevariance_rpt = Reference Node Variance Report

scoring_rpt = Scoring Report

scoringhistory_rpt = Scoring History Report

systemaccesscontrol_rpt = System Access Control Report

systemlog_rpt = System Log Report

testresultsbynode_rpt = Test Results by Node Criteria Report

unchangedelements_rpt = Unchanged Elements Report

unmonitorednodes_rpt = Unmonitored Nodes Report

userroles_rpt = User Roles Report

userrolesall_rpt = User Roles All Object Types Report

*These report types are only valid if an Automated Remediation license is installed
on the TE Console.

Tripwire Enterprise 9.0 Reference Guide 53 Chapter 1. Using the Command Line Interface
Running a Task with the CLI
The runtask command runs a Tripwire Enterprise task.

Guidelines

The options and guidelines in the following sections apply to the runtask command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18

Table 18 defines additional options that may be applied to a runtask command.

Results

When a runtask operation finishes, the CLI indicates if the task ran successfully.

Example

Input
twtool.cmd runtask -t myRuleTask

Output
promote: 1 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Table 18. runtask command options

Option
(Short Form/
Long Form) Arguments

-t This option specifies the name of the task to be run.

--taskname

Tripwire Enterprise 9.0 Reference Guide 54 Chapter 1. Using the Command Line Interface
Running Actions with the CLI
The runaction command runs Tripwire Enterprise actions.

Guidelines

The options and guidelines in the following sections apply to the runaction command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 19 on the next page defines additional options that may be applied to a runaction
command.
l An existing action (action or Aoids) or action group (actionGroup or AGoids) must be
entered with a runaction command.
l One or more values may be entered with the action, Aoids, actionGroup, or AGoids
options. For example, you can enter one or more action names with the action option.

Results

When a runaction operation finishes, the CLI indicates if the action(s) ran successfully.

Example

Input
twtool.cmd runaction -a myaction -n mynode

Output
runaction: 5 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 55 Chapter 1. Using the Command Line Interface
 Table 19. runaction command options

Option
(Short Form/
Long Form) Arguments

-a This option specifies the name of an action to be run.

--action

-A This option specifies the Object Identifier (OID) of an action to be run.

--Aoids

-y This option specifies the name of an action group to be run.

--actionGroup

-Y This option specifies the OID of an action group to be run.

--AGoids

Tripwire Enterprise 9.0 Reference Guide 56 Chapter 1. Using the Command Line Interface
Creating TE Users with the CLI
The newUser command can be used to create a new Tripwire Enterprise user account.

Guidelines

The options and guidelines in the following sections apply to the newUser command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18

Table 20 on the next page defines additional options that may be applied to a newUser command.
l The name and newPassword options are required.
l Either the role or roleOid option is required.

Results

When the operation is complete, the CLI indicates whether or not the user account was
successfully created.

Example

Input
twtool.cmd newUser --name NewtUser --newPassword passphrase --email
"nuser@example.com" --description "Newt User" --role Administrator
--userGroup "Admin Group" --homepages "Admin Dashboard"

Output
Creating new user was successful. OID of the user: '-1y2p0ij32e89j:-
1y2p0ij323ft4'

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 57 Chapter 1. Using the Command Line Interface
 Table 20. newUser command options

Option
(Short Form/
Long Form) Arguments

-n The new TE user account name.

--name

-e (Optional) The e-mail address associated with the new user account.
--email

-d (Optional) A description of the new user account.

--description

-w The TE password associated with the new user account.

--newPassword

-r The user role assigned to the new user account.

--role

-R The OID of the user role assigned to the new user account.
--roleOid

-g (Optional) A quoted and comma-delimited list of TE user group names that the new
--userGroup user account is a member of.

-G (Optional) A comma-delimited list of TE user group OIDs that the new user account is
--UGoids a member of.

-m (Optional) A quoted and comma-delimited list of TE homepages that the new user
--homepages account can access.

-M (Optional) A comma-delimited list of TE homepage OIDs that the new user account
--HPoids can access.

Tripwire Enterprise 9.0 Reference Guide 58 Chapter 1. Using the Command Line Interface
Creating Log Messages with the CLI
With the createLogMessage command you can create Tripwire Enterprise log messages that can
be viewed in the TE Log Manager. You can generate Error or Info log messages, and associate
them with specific TE objects by specifying the object names in the command.

All log messages generated with the createLogMessage command have the log message category
SOAP Client in the TE Console.

Guidelines

The options and guidelines in the following sections apply to the createLogMessage command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 21 on the next page defines additional options that may be applied to a createLogMessage
command.
l The level and message options are required.
l Use the other options to specify objects associated with the log message.

Example

Input
twtool.cmd createLogMessage -v info -L "There is a problem" -n "Important Nodes"

Output
createLogMessage: 1 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 59 Chapter 1. Using the Command Line Interface
 Table 21. createLogMessage command options

Option
(Short Form/
Long Form) Arguments

-v The level of log message to create. The only valid arguments for this
--level option are info and error.

-L The text of the log message.

--message

-a This option specifies the name of an action. Each action name should
--action be entered exactly as it appears in Tripwire Enterprise.

-A This option specifies the Object Identifiers (OIDs) for one or more
--Aoids actions.

-b This option specifies the name of one or more home pages. Each
--homepages home page name should be entered exactly as it appears in Tripwire
Enterprise.

-B This option specifies the Object Identifiers (OIDs) for one or more
--HPoids home pages.

-c This option specifies the name of a policy test. Each policy test name
--policyTest should be entered exactly as it appears in Tripwire Enterprise.

-C This option specifies the Object Identifiers (OIDs) for one or more
--Poids policy tests.

-g This option specifies the name of a report group. Each report group
--reportGroup name should be entered exactly as it appears in Tripwire Enterprise.

-G This option specifies the Object Identifiers (OIDs) for one or more
--Regoids report groups.

-j This option specifies the name of a report. Each report name should
--report be entered exactly as it appears in Tripwire Enterprise.

-J This option specifies the Object Identifiers (OIDs) for one or more
--reoids reports.

-k This option specifies the name of a task group. Each task group name
--taskGroup should be entered exactly as it appears in Tripwire Enterprise.

-K This option specifies the Object Identifiers (OIDs) for one or more
--TGoids task groups.

-m This option specifies the name of a post-remediation service

--postRemediationCommands command. Each post-remediation service command name should be
entered exactly as it appears in Tripwire Enterprise.

-M This option specifies the Object Identifiers (OIDs) for one or more
--PRCoids post-remediation service commands.

Tripwire Enterprise 9.0 Reference Guide 60 Chapter 1. Using the Command Line Interface
 Option
(Short Form/
Long Form) Arguments

-r This option specifies the name of a rule. Each rule name should be
--rule entered exactly as it appears in Tripwire Enterprise.

-R This option specifies the Object Identifiers (OIDs) for one or more
--Roids rules.

-t This option specifies the name of a task. Each task name should be
--task entered exactly as it appears in Tripwire Enterprise.

-T This option specifies the Object Identifiers (OIDs) for one or more
--Toids tasks.

-x This option specifies the name of a rule group. Each rule group name
--ruleGroup should be entered exactly as it appears in Tripwire Enterprise.

-X This option specifies the Object Identifiers (OIDs) for one or more rule
--RGoids groups.

-y This option specifies the name of an action group. Each action group
--actionGroup name should be entered exactly as it appears in Tripwire Enterprise.

-Y This option specifies the Object Identifiers (OIDs) for one or more
--AGoids action groups.

-z This option specifies the name of a policy test group. Each policy test
--policyTestGroup group name should be entered exactly as it appears in Tripwire
Enterprise.

-Z This option specifies the Object Identifiers (OIDs) for one or more
--PGoids policy test groups.

Tripwire Enterprise 9.0 Reference Guide 61 Chapter 1. Using the Command Line Interface
Configuring the Event Generator with the CLI
The configureNodeEventGenerator command can be used to configure audit event collection or
real-time monitoring on Tripwire Enterprise nodes. For more information, see How Does an
Event Generator Collect Audit Events? and How Does Real-Time Monitoring Work? in the
Tripwire Enterprise User Guide.

Guidelines

The options and guidelines in the following sections apply to the configureNodeEventGenerator
command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18

Table 22 on the next page defines additional options that may be applied to a
configureNodeEventGenerator command.

l Either the node, Noid, nGroup, or NGoid option is required.

Results

When the operation is complete, the CLI lists the nodes where the Event Generator was
configured successfully.

Example

Input
twtool.cmd configureNodeEventGenerator -node node.example.com --audit true

Output
Event Generator was configured on:
[node.example.com]

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 62 Chapter 1. Using the Command Line Interface
 Table 22. configureNodeEventGenerator command options

Option
(Short
Form/
Long Form) Arguments

-n The name of the node with the Event Generator you want to configure.
--node

-N The OID of the node with the Event Generator you want to configure.
--Noid

-w The name of a node group. The command will be applied to all nodes in or descending
--nGroup from this node group.

-W The OID of a node group. The command will be applied to all nodes in or descending from
--NGoid this node group.

-a If set to true, audit event collection is enabled.

--audit If set to false, audit event collection is disabled.

-e If set to true, the TE Event Generator is set as the event source.

--event If set to false, the TE Event Generator is disabled.

-r If set to true, real-time monitoring is enabled.

--realTime If set to false, real-time monitoring is disabled.

Tripwire Enterprise 9.0 Reference Guide 63 Chapter 1. Using the Command Line Interface
Viewing Tripwire Enterprise License Files with the CLI
With the getLicenseInfo command, you can check the license files associated with a Tripwire
Enterprise installation. For more information about licenses, see About Tripwire Enterprise
Licenses in the Tripwire Enterprise User Guide.

Guidelines

The options and guidelines in the following sections apply to the getLicenseInfo command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18

Example

Input
twtool.cmd getLicenseInfo

Output
(License file info, in the same format that it appears in the License section of the
TE Settings Manager)
If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 64 Chapter 1. Using the Command Line Interface
Setting Custom Property Values with the CLI
In the properties of specified nodes, elements, or element versions, the setcustomproperty
command sets a specified value for a custom property. This value can either be the property’s
default value or a custom value.

Guidelines

The options and guidelines in the following sections apply to the setcustomproperty command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18
l Limiting Commands to Specific Nodes and Elements on page 22

Table 23 on the next page defines additional options that may be applied to a setcustomproperty
command.
l To specify the custom property for which a value will be set, the propertyname,
targettype, and valuetype options are required.

l To specify the value, the usedefault or value option is required.

l The node, Noids, nodegroup, or NGoids option is required.
l To set a value for an element custom property or version custom property, the element or
Eoids option is also required.

Note To set a value for a node custom property, the element and Eoids options
are not required.

Results

When a setcustomproperty operation finishes, the CLI indicates if the specified value was
successfully applied to the specified TE objects.

Example

Input
twtool.cmd setcustomproperty -t n -f text -c myproperty -n mynode -v mytext

Output
setcustomproperty: 1 success, 0 failed.

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 65 Chapter 1. Using the Command Line Interface
 Table 23. setcustomproperty command options

Option
(Short Form/
Long Form) Arguments

-c The name of a custom property. The CLI will assign a specified value for this
--propertyname property to each TE object identified by the command.

-t Indicates the type of custom property:

--targettype
v = Version custom property

e = Element custom property

n = Node custom property

Note: If you enter “v”, the specified value will be saved in the properties of the
current version of each specified element.

-v Defines a custom value for the custom property. With this option, the CLI assigns
--value this value to each of the specified TE objects.

-d Assigns the custom property’s default value to each of the specified TE objects.
--usedefault

-f Indicates the data type of the custom property:

--valuetype
yesno = Yes/No

select = Select

text = Text

numeric = Numeric

date = Date
Note: A custom property’s data type determines the kind of values that can be
entered. For more information, see What are Custom Properties? in the Tripwire
Enterprise User Guide.

Tripwire Enterprise 9.0 Reference Guide 66 Chapter 1. Using the Command Line Interface
Creating Launch in Context URLs with the CLI
The licurl command generates a URL for the Tripwire Enterprise Launch in Context feature.
When you enter a Launch in Context URL in your Web browser, the specified Tripwire
Enterprise component opens. The command, options, and arguments specified in the URL
determine which data is displayed.

With the licurl command, you can generate a Launch in Context URL to view the results of the
following types of searches:
l An ad hoc search for nodes by name
l An ad hoc search for changed elements on specified nodes
l An ad hoc search for element versions associated with an approval identifier
l A saved search for nodes, elements, or element versions

Guidelines

Some of the options and guidelines in the following sections apply to the licurl command.
l CLI Command Format and Standards on page 16
l Setting Common Options with the CLI on page 18

Table 24 on the next page defines additional options that may be applied to a licurl command.
l The service option is always required.
l To run an ad hoc search, the node, element, or idref option is required.
l To run a saved search, the savedsearch and savedsearchtype options are required.

Results

The CLI generates a Launch in Context URL based on the entered criteria. To launch the
Tripwire Enterprise interface with the requested data, enter the URL in your Web browser.

Example 1

Input
twtool.cmd licurl -n fisherman.ocean.com -n 192.168.10.201

Output
https://contractor01.example.com/console/lic.nodeSearch.cmd?
nodes_op=equals&nodes=fisherman.ocean.com
%0D192.168.10.201&lic=true

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Tripwire Enterprise 9.0 Reference Guide 67 Chapter 1. Using the Command Line Interface
Example 2

Input
twtool licurl -t nodeSearch -d mySavedNodeSearch

Output
https://localhost/console/lic.nodeSearch.cmd?searchName=
mySavedNodeSearch

If an error occurs, the program exits with error code 1. Otherwise, it exits with 0.

Table 24. licurl command options

Option
(Short Form/
Long Form) Arguments

-n This option specifies the IP address or resolvable hostname of a single node.

--node Tip: For faster command execution, Tripwire recommends the use of resolvable
hostnames with this option.

-e This option shows all changed elements for a specified node.

--element

-i This option specifies an approval identifier. With this option, the Launch in
--idref Context URL will retrieve promoted element versions associated with the
approval identifier.

-o This option applies one of the following operators to search criteria:

--operator
c = contains

e = excludes

n = not equal to
If an operator is not entered, the CLI uses the equals operator (=) to generate
the URL.

-d This option specifies the name of a saved search.

--savedsearch

-t This option identifies the type of saved search specified by the -d option.
--savedsearchtype
nodeSearch

elementSearch

versionSearch

Tripwire Enterprise 9.0 Reference Guide 68 Chapter 1. Using the Command Line Interface
Viewing the Current CLI Version Number
The version command outputs the current version of the Command Line Interface. This
command does not support any options or arguments.

Note If you consult Tripwire Technical Support regarding a CLI-related issue, support
personnel may request the CLI version number.

Example

Input
twtool.cmd version

Output
8.4.0.bathena.r20150821200516-e31134c.b1340

Tripwire Enterprise 9.0 Reference Guide 69 Chapter 1. Using the Command Line Interface
 Chapter 2.
Monitoring AAA Log
Messages
What is the Tripwire Enterprise AAA Log Monitoring Tool?
The Tripwire Enterprise AAA Log Monitoring Tool is a Perl-based application that monitors
log files created by a AAA (authentication, authorization, and accounting) server. Each AAA log
file contains one or more log messages. As new entries are added to a AAA log file, the log
monitoring tool periodically parses and forwards the entries to the Tripwire Enterprise Server.
l If a AAA log message was generated by activity on a monitored system, a new TE log
message is created in the Log Manager.
l If you integrated TE with Tripwire® LogCenter® (TLC), then TE will also forward AAA
log messages to TLC.

Notes In the Log Manager, Tripwire Enterprise assigns a Category of TACACS+ or

RADIUS to each TE log message originating with the Tripwire Enterprise AAA
Log Monitoring Tool.

TACACS (Terminal Access Controller Access Control System) is a network-

access protocol that authenticates users by allowing a remote access server to
communicate with an authentication server. RADIUS (Remote Authentication
Dial-In User Service) is an authentication protocol used in communications
between a remote access server and an authentication server.

The Tripwire Enterprise AAA Log Monitoring Tool can parse log files created by the following
auditing services:
l Cisco Secure ACS for Windows TACACS+ administration and accounting
l Cisco Secure ACS for Windows RADIUS accounting
l Cisco Secure ACS Appliance TACACS+ administration and accounting
l Cisco Secure ACS Appliance RADIUS accounting
l tac_plus
l RADIUS (with Livingston format logs)

For system requirements, installation instructions, and usage guidelines, see Working with the
Tripwire Enterprise AAA Log Monitoring Tool on the next page.

Tripwire Enterprise 9.0 Reference Guide 71 Chapter 2. Monitoring AAA Log Messages
Working with the Tripwire Enterprise AAA Log Monitoring Tool

System Requirements
To run the Tripwire Enterprise AAA Log Monitoring Tool, a standard Perl 5 distribution must
be installed on the host system. To download a prepackaged Perl distribution for Windows or
Linux, visit the ActiveState Web site (www.activestate.com).

If not provided with your Perl distribution, the following Perl modules must also be installed on
the host system:
l Net::HTTPS

l Text::CSV

l LWP::ConsoleLogger::Everywhere

l Getopt::Std

l LWP::UserAgent

For instructions on obtaining and installing Perl modules, see the O’Reilly Network Web site
(http://www.perl.com).

Installing the Tripwire Enterprise AAA Log Monitoring Tool

The Tripwire Enterprise AAA Log Monitoring Tool may be installed on any AAA server
running a compatible auditing service. For an introduction to the log tool and a list of supported
auditing services, see What is the Command Line Interface? on page 9.

To install the Tripwire Enterprise AAA Log Monitoring Tool:

1. On the Tripwire Enterprise installation DVD, locate te_log_aaa.pl in the /extras/aaa/
directory.
2. Copy te_log_aaa.pl to the directory from which the logging tool will be run.
3. In the Settings Manager of the Tripwire Enterprise interface, add the host machine’s
hostname or IP address to the list of integration hosts. For instructions, see Changing
System Preferences in the Tripwire Enterprise User Guide.

Tripwire Enterprise 9.0 Reference Guide 72 Chapter 2. Monitoring AAA Log Messages
Running the Tripwire Enterprise AAA Log Monitoring Tool
To parse an external log file with the Tripwire Enterprise AAA Log Monitoring Tool, enter a
command with the following format at the command prompt:

perl te_log_aaa.pl -s <te_host> -p <te_port> -f <log_file>

Table 25 (below) defines the options that may be entered in a command.

The following command parses a RADIUS log file (active.csv) located in the /var/log/radius
directory. In this example, the Tripwire Enterprise AAA Log Monitoring Tool communicates
with the Tripwire Enterprise Server (somehost).

perl te_log_aaa.pl -s somehost -f /var/log/radius/active.csv

Log File Rotation

The Tripwire Enterprise AAA Log Monitoring Tool continues to monitor AAA log files through
regular file rotations. After rotation of a AAA log file, the logging tool scans both the archived
log file and the newly-created log file to ensure that all information recorded during the rotation
process is submitted to Tripwire Enterprise.

Table 25. AAA Log Monitoring Tool options

Option Required? Description

–s <te_host> Yes This option provides the resolvable hostname or IP address of the
Tripwire Enterprise Server.

–f <log_file> Yes This option identifies the name and path of the external log file to be
monitored.

–p <te_port> No This option indicates the HTTP port on which the Tripwire Enterprise
Server receives external commands. The Tripwire Enterprise AAA Log
Monitoring Tool communicates with the Tripwire Enterprise Server via
this port. This port is specified during installation of Tripwire
Enterprise.
If this option is omitted from a command, the logging tool defaults to
port number 8080.

–d No This option instructs the Tripwire Enterprise AAA Log Monitoring Tool
to recognize DOS-style newline character sequences (combined
CR/LF) following each log file entry. Enter this option if you 1) run the
tool from a UNIX system, and 2) monitor an external log file that uses
DOS-style newlines.

–v No This option runs the Tripwire Enterprise AAA Log Monitoring Tool in
verbose mode. This option is primarily used for configuration and de-
bugging.

-1 No This option instructs the tool to parse all existing entries in an external
log file, and then exit. If this option is omitted from a command, the
tool parses each new entry when it is added to the log file.
This option is typically used for de-bugging.

-h No This option displays a usage statement for the Tripwire Enterprise

AAA Log Monitoring Tool.

Tripwire Enterprise 9.0 Reference Guide 73 Chapter 2. Monitoring AAA Log Messages
AAA Log Messages that Trigger Version Checks
Tripwire Enterprise supports triggered version checks. A version check can be triggered
automatically if the content of a AAA log message matches an entry in the
logtriggers.properties file for the supported device. Tripwire Enterprise supports triggered
version checks for two types of devices:
l Cisco IOS
l Cisco CatOS

If multiple logs containing triggers are received in the same batch, only one version check is run.

Tripwire Enterprise Console contains the following configuration file, which displays a list of
inclusion and exclusion patterns by device type:

<te_root>/server/data/config/logtriggers.properties

The following examples will trigger a version check for any log containing a write command,
except write network.

Example of an include value:

logtrigger.cisco_catos.message.include.32=cmd: 'write.*'

Example of an exclude value:

logtrigger.cisco_catos.message.exclude.1 = write network

Tripwire Enterprise 9.0 Reference Guide 74 Chapter 2. Monitoring AAA Log Messages
Supported AAA Log Formats
Tripwire Enterprise supports the following log formats for AAA servers.

Table 26. Supported log formats for AAA servers

Supported Log Formats AAA Server Types

l TACACS+ Administration l Cisco Secure ACS for Windows
l TACACS+ Accounting l Cisco Secure ACS Appliance
l RADIUS Accounting
l tac_plus Other
l RADIUS (with Livingston format logs; see below)

Sample RADIUS (Livingston)

Livingston accounting format records are multi-line records with one attribute = value pair
listed per line, and with records separated by a blank line. Following is an example of how
RADIUS accounting packets are logged (generated by Cistron RADIUS server 1.6.7).

Mon Oct 24 11:24:05 2005

NAS-IP-Address = 10.10.10.3
NAS-Port = 6
NAS-Port-Type = Virtual
User-Name = "cisco"
Called-Station-Id = ""
Calling-Station-Id = "10.10.10.10"
Acct-Status-Type = Stop
Acct-Authentic = Remote
Service-Type = NAS-Prompt-User
Acct-Session-Id = "0000008D"
Acct-Terminate-Cause = Idle-Timeout
Acct-Session-Time = 317
Acct-Delay-Time = 0
Client-IP-Address = 10.10.10.1
Timestamp = 1072293845
Request-Authenticator = Verified

Tripwire Enterprise 9.0 Reference Guide 75 Chapter 2. Monitoring AAA Log Messages
 Chapter 3.
System Properties
Tripwire Enterprise Console Configuration Properties
Table 27 lists the configuration properties for Tripwire Enterprise (TE) Console. All of these
properties can be set in the TE Console configuration file
(<te_root>/server/data/config/server.properties).

Tip You can also configure most of these properties from the TE Console Settings
Manager (System > Configure TE Console).

Table 27. Configuration properties for TE Console

Property Description
Active Directory GPO Monitoring If true, TE Agents will omit Group Policy settings from
tw.ad.noGpoContent baseline operations and version checks of Active Directory
entries.

Default Value: false

Agent Baseline/Check This property sets a limit on the number of TE Agents that
Limit can be baselined or version checked at the same time by a
tw.concurrentAgents single operation. If the number of TE Agents exceeds this
value, Tripwire Enterprise will queue any additional
TE Agents. TE Agents in the queue will be baselined or
version checked as Tripwire Enterprise finishes the operation
on other TE Agents.
Default Value: 50

Agent Ping Rate When TE version checks a TE Agent, it pings the Agent at an
tw.agent.ping interval set by this property to verify the Agent’s
responsiveness.
Default Value: 90,000 milliseconds (90 seconds)

Agent Restart Limit The maximum number of TE Agents that can concurrently
tw.agent.restart. bootstrap and register with TE Console. Restart requests that
exceed this value will be queued until a pool slot is available.
poolSize
Default Value: 10

Agent Restart Timeout The amount of time the TE Server will wait for a TE Agent to
tw.agent.restart. register itself after a restart command. Once the time is
exceeded, the TE Server will assume that the TE Agent is not
timeout responding.
Default Value: 360,000 milliseconds (6 minutes)

Tripwire Enterprise 9.0 Reference Guide 77 Chapter 3. System Properties

 Property Description
Agent Reverse Lookup When a TE Agent starts up following installation, it sends its
tw.agent.restart. IP address to the Tripwire Enterprise Server.
reverseLookup l If the TE Server confirms that the address is valid, it
uses the address to register the TE Agent.
l If the TE Server is unable to confirm the validity of the
address, and this property is set to true, the server will
perform a reverse lookup before registering the
TE Agent.
Default Value: false

Tip: If your TE Server has a slow or non-existent DNS, set

this property to false.

Agent The maximum number of TE Agents that can concurrently

Synchronization synchronize data with the Tripwire Enterprise Server.
Limit
tw.agentCallback. Default Value: 10
poolSize
Agent Task Logging Saves detailed information about running TE Agent tasks in
tw.agent.debug the TE Console log file:

<te_root>/server/data/log/teserver.log

Default Value: false

Allow Legacy FIPS If true, the Console allows pre-8.4.1 TE Agents in FIPS
tw.te.crypto. mode to connect to the Console.
allow_legacy_fips
Default Value: true

Audit Event Batch Size Specifies the number of audit events in each batch sent by
tw.fs.eventCacheSize TE Agents to the TE Console.
Default Value: 500

Audit Event Harvesting Indicates whether or not the TE Agent should prevent audit
tw.agent.noaudit event harvesting.

Default Value: false

Auto Certificate Signing If set to true, TE Console will not allow automatic signing of
tw.te.crypto. TE Agent certificates.
sideband_signaling_disabled
Default Value: false

Tripwire Enterprise 9.0 Reference Guide 78 Chapter 3. System Properties

 Property Description
Baseline on First Specifies what happens when TE runs a version check using
Rule Run a rule before creating a baseline with that rule.
tw.baseline.on.
first.check If set to false, all of the resulting element versions are
marked as additions. This is the default behavior in Tripwire
Enterprise 8.0 and earlier.

If set to true, all of the resulting element versions are

marked as baseline versions. This is the default behavior in
Tripwire Enterprise 8.1 and later.

Default Value: true

Change Consumer Limit Defines the number of change consumers that can
tw.changeConsumers concurrently process changes posted from Agents. For
example, if this setting is 5 for a baseline operation of 10
Agents each with a batch size of 1000, the TE Server will only
post 5 batches at a time to the database. On an IO BOUND
system, reducing this number increases performance by
forcing writes to the TE Console database to be more
synchronous. If the database is not IO BOUND, increasing
this number should increase performance when many
Agents are being baselined at the same time.
Default Value: 6

Concurrent Incoming Defines the number of incoming requests from TE Agents

Requests that can be executed concurrently before other requests are
tw.rpc.exec. queued. Normally this does not need to be adjusted.
threadPoolSize Default Value: 10

Concurrent Report Tasks The maximum number of report tasks that can be run
tw.tasks. concurrently by TE Console. TE queues any report tasks that
exceed this limit, and the queued tasks are run when threads
reportTaskConcurrency become available.
Default Value: 1

Concurrent Rule Tasks The maximum number of baseline rule tasks and/or check
tw.tasks. rule tasks that can be run concurrently by TE Console. TE
queues any rule tasks that exceed this limit, and the queued
ruleTaskConcurrency tasks are run when threads become available.

Default Value: 20

Concurrent Task Defines the number of threads used to process concurrent

Threads tasks. Currently, this property only impacts network device
tw.task. rules.
threadPoolSize Default Value: 10

Debug Tracing If true, turns on debug tracing for TE Agents through

com.tripwire.trace Dbg.trace() calls.

Default Value: false

Tripwire Enterprise 9.0 Reference Guide 79 Chapter 3. System Properties

 Property Description
Disable Customer Center Widgets If true, prevents TE Announcements widgets, TE Developer
com.tripwire. Blog widgets, and TE Forums widgets, and TE Knowledge
Base widgets from downloading content from the Tripwire
ui.homepage.
Enterprise Customer Center.
disableCustomer
CenterWidgets Default Value:false

Display Harvested Log Messages Determines if the UI displays harvested log messages for the
tw.elementVersion. first version of an element.
displayLogMessages
Default Value: true
ForFirstVersion

E-mail Server Timeout The amount of time an e-mail server has to respond before a
com.tripwire.mail. timeout occurs. Useful if the e-mail server is exceedingly
busy or slow to respond.
smtp.timeout
Default Value: 20,000 milliseconds (20 seconds)

Execution Action Log Messages If an exception occurs when an execution action is run,
tw.rexec. Tripwire Enterprise always creates an Error log message.
nonzerostatus.log If this property is set to true, an Error log message will also
be created if an execution action results in a non-zero exit
status.

Default Value: true

Global TE Session Timeout Setting This setting defines a time after which a TE session is closed,
tw.shiro.session.timeout.minutes regardless of user or API activity. The range of values for this
property is 181 - 10000.
Default Value: 1441 (24 hours + 1 minute)

HP-UX Tracing Set this if you need to get trace info from the HP-UX package
com.tripwire.si. cataloging on TE Agents.
hpux.pkg.trace
Default Value: false

HTTP Non-blocking I/O Enables non-blocking input/output mechanisms to service

tw.http.nio HTTP requests in the TE Console.

Default Value: true

HTTP Request The maximum number of simultaneous threads to use for

Handler Pool Size handling HTTP requests.
tw.http.poolSize
Default Value: 20

HTTPS Request The maximum number of simultaneous threads to use for

Handler Pool Size handling HTTPS requests.
tw.https.poolSize
Default Value: 20

HTTP Request The maximum number of HTTP connections that can be

Handler Queue Size queued for handling by the request thread pool.
tw.http.queueSize
Default Value: 5000

Launcher Debugging If true, turns on low-level startup debug tracing.

tw.launcher.debug
Default Value:false

Tripwire Enterprise 9.0 Reference Guide 80 Chapter 3. System Properties

 Property Description
Launcher Timeout The time used for the first retry timeout.
Initial Value
tw.launcher. Default Value: 5
timeout.initial

Launcher Timeout Maximum The maximum amount of time an Agent will wait to retry
tw.launcher. registering with the Tripwire Enterprise Server.
timeout.max Default Value: 1800

Launcher Timeout Multiplier The number by which the registration-retry timeout is

tw.launcher. multiplied after each retry failure.
timeout.multiplier Default Value: 1.5

Launcher Timeout Salt The maximum amount of extra "random" time that should be
tw.launcher. added to each registration retry timeout in order to prevent
multiple Agents from continuously retrying in lockstep.
timeout.salt
Default Value: 5

Legacy Agent Communication The ciphers used in SSL negotiation for TE Agent
Ciphers communication.
tw.rmi.ciphers
Default Value: TLS_ECDHE_ECDSA_WITH_AES_256_
GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

Legacy Agent Communication TLS A comma-separated list of TLS protocols used in SSL
protocols negotiation for TE Agent communication.
tw.rmi.clientProtocols
Default Value: TLSv1.2, TLSv1

Legacy Agent Communication TLS A comma-separated list of TLS protocols used in SSL
protocols negotiation for TE Agent communication.
tw.rmi.serverProtocols
Default Value: TLSv1.2, TLSv1

MySQL Database SSL Mode Specifies how the TE Console should use SSL to connect to a
tw.database.mysql.ssl MySQL database. Valid options are: request, require, off.

Default Value: request

Package Batch Size Specifies the batch size for package entries that are sent to
tw.fs. the Tripwire Enterprise Server by TE Agents.
packageEntryCacheSize Default Value: 5000

Package Cataloging Indicates whether or not TE Agents should prevent package

tw.agent.nopkg cataloging.

Default Value: false

Prevent Promotion Log Messages If set to false, Tripwire Enterprise creates a single log
tw.promote. message for each promoted element version.
noLogging
If set to true, this property prevents the creation of these
log messages.

Default Value: true

Tripwire Enterprise 9.0 Reference Guide 81 Chapter 3. System Properties

 Property Description
Real-Time Action (Applies only to change versions created by real-time version
Interval checks.) Specifies a time interval when TE runs the actions
tw.server.realTime. associated with the rules used to identify the change versions
that are currently pooled on the TE Server.
scopePeriod
Note: TE will also run these actions if an Agent submits:
l A change version of an element for which TE has not
previously run the associated rule's actions, or
l A batch of change versions that pushes the Real-Time
Element Maximum property over its specified limit.
Default Value: 300,000 milliseconds (5 minutes)

Real-Time Element The maximum number of elements for which actions may be
Maximum run in a single Real-Time Action Interval.
tw.server.realTime.
Default Value: 100,000
maxElements
Remote Request The default priority for threads that execute incoming remote
Thread Priority requests from monitored TE Agent systems. Normally does
tw.rpc.exec. not need to be adjusted.
threadPriority Default Value: 5

Restore Timeout This property sets the timeout for files transferred from the
com.tripwire.tftp. Tripwire Enterprise Server to a network device during a
restore operation. If a network device does not request
availability transfer of a file within the specified time, TE Console
terminates the connection.
Default Value: 60 seconds

RMI Client Protocols A comma-separated list of TLS protocols used by RMI client
tw.rmi. sockets.
clientProtocols
Default Value: TLSv1

RMI Server Protocols A comma-separated list of TLS protocols used by RMI server
tw.rmi. sockets.
serverProtocols
Default Value: TLSv1 (for systems with FIPS mode
enabled) or
TLSv1, SSLv2Hello (for systems without FIPS mode
enabled)

RSA Key Size Controls the size of RSA keys generated for the master CA,
tw.channel. RMI host CA, RMI client, and RMI server for the TE Console.
rsaKeySize
Default Value: 4096

Run Command Output This setting determines if Tripwire Enterprise runs COCRs
Capture Rules sequentially (true) or simultaneously (false) on TE Agents.
Synchronously
tw.cecr.forceSync Default Value: true

Run File System Rules This setting determines if Tripwire Enterprise runs file system
Synchronously rules sequentially (true) or simultaneously (false) on
tw.fsi.forceSync TE Agents.

Default Value: false

Tripwire Enterprise 9.0 Reference Guide 82 Chapter 3. System Properties

 Property Description
Run Registry Rules Synchronously This setting determines if Tripwire Enterprise runs Windows
tw.winreg.forceSync registry rules sequentially (true) or simultaneously (false)
no TE Agents.

Default Value: false

Security Audit Logging If set to true, Security Audit logging is started and the
tw.securityAuditLog. tetool import subcommand is disabled. Security Audit
enabled logging turns on logging that meets the auditing
requirements defined in the ST.
Note: If Security Audit Logging is enabled, access to the
TE SOAP API is disabled.

Default Value: false

Sleep/Yield Setting If greater than 1, performs a sleep after each check is

tw.agent.niceLevel performed.
Default Value: 0

Start Point / Stop Point Container This property affects start points and stop points (i.e.
Objects specifiers) in the following rule types:
tw.filter.accept.
Windows registry rules
directories
Windows file system rules
UNIX file system rules

If true, the Include and Exclude fields in the specifier's

properties will only include or exclude the specified
monitored objects.

If false, these fields will also include or exclude any

container objects (e.g. directories and registry entries) from
which the specified objects are descended.
Default Value:
No value set for new installations of Tripwire Enterprise.

true for upgraded installation of Tripwire Enterprise.

System Lock If true, turns on debug information for the system lock
Debugging manager.
com.tripwire.
locking.debug Default Value: false

Task Thread Priority Set this to change the thread priority for checking/baselining
tw.agent. on a TE Agent node.
taskPriority Default Value: 5

TE Console Database Defines the number of milliseconds to wait before deciding

Connection Deadlock that all connections are deadlocked.
tw.database.
The deadlock will be broken by creating a new unmanaged
deadlockTimeout connection.
Default Value: 120,000 milliseconds (2 minutes)

Tripwire Enterprise 9.0 Reference Guide 83 Chapter 3. System Properties

 Property Description
TE Console Database Defines the maximum number of connections to which the
Connection Limit TE Console database connection pool can grow.
tw.database.
Increase this value when you experience many waiting
maxConnections connections or connection-acquisition deadlock.
Default Value: 30

TE Console Database Defines the number of milliseconds a connection can be idle

Connection Timeout before it is closed.
tw.database.
Default Value: 1,200,000 milliseconds (20 minutes)
maxConnectionLease
TE Console Database Defines the number of times a connection can be reused
Connection Usages before it is closed.
tw.database.
Default Value: 1500
maxConnectionUsages
TE Console Database Defines the host where the TE Console database resides.
Host
tw.database.host Default Value: localhost

TE Console Database Sets the maximum number of rows that can be displayed in a
Pagesize Limit single page of any table in the Tripwire Enterprise interface.
tw.database.paging.
Default Value: 5,000
lookAheadRows
TE Console Database Defines the passphrase used to authenticate the database
Passphrase user when Tripwire Enterprise accesses the TE Console
tw.database.passphrase database.
Default Value: Your services passphrase (encrypted)

TE Console Database Defines the location and name of the TE Console database.
Path
tw.database.path Default Value: MySQL = te

Note: A default value is not provided for Oracle and

Microsoft SQL Server databases.

TE Console Database Defines the port where the TE Console database resides.
Port
tw.database.port Default Value: MySQL = 3306
or
Oracle = 1521
or
SQL Server = 1433

TE Console Database Defines the number of prepared statements that can be

Statement Cache cached in any single connection.
tw.database.
These are cached using an LRU map, meaning that older
statementCacheSize statements will be freed before newer statements when the
cache size is equal to or greater than the specified limit.
Default Value: 20

Tripwire Enterprise 9.0 Reference Guide 84 Chapter 3. System Properties

 Property Description
TE Console Database Defines the type of database backend. The choices are
Type mysql, sqlserver, or oracle.
tw.database.type
Default Value: mysql

TE Console Database Defines the database user for the TE Console database.
User When Tripwire Enterprise accesses the database, the
tw.database.user database user and your services passphrase are required for
authentication.
Default Value: root

TE Proxy Interface Map Informs the TE Server of the IP addresses used by TE Agents
tw.proxy.nicMap to communicate with a TE proxy. For more information, see
Configuring a Tripwire Enterprise Proxy for Agent
Communication in the Tripwire Enterprise Installation &
Maintenance Guide.
Default Value: null

Telnet Tracing If true, turns on tracing for the Telnet protocol.

com.tripwire.common.
net.telnet.debug Default Value: false

Temporary Report By default, the temporary files used by Tripwire Enterprise

File Deletion reports are deleted after 60 minutes of existence. If you are
tw.tempfilemanager. running reports that take longer than an hour to complete,
you should set a longer time interval for clean up of the files
fileLifespanMins
in the temp directory.

Default Value: 60 minutes

TFTP Access Timeout This property sets the timeout for files transferred from a
com.tripwire.tftp. network device to the Tripwire Enterprise Server via TFTP. If
a network device does not begin transfer of a file within the
access specified time, TE Console assumes an error occurred and
terminates the connection.
Default Value: 60 seconds

TFTP Server Thread The priority of threads receiving data from monitored
Priority network devices via TFTP.
com.tripwire.common.
net.tftp.priority Default Value: 6

TFTP Tracing If true, turns on tracing for the TFTP protocol.

com.tripwire.common.
net.tftp.debug Default Value: false

Tomcat File Size Limit The tomcat import file size limit.
tw.webserver.
Default Value: 20,000,000 bytes
maxUploadSize
Version Batch Size Specifies the number of changes that are collected into a
tw.agent. block before being sent to the TE Server.
changeBlockSize Default Value: 500

Tripwire Enterprise 9.0 Reference Guide 85 Chapter 3. System Properties

 Property Description
vCenter Node Sync This property affects how vCenter nodes are synchronized.
tw.vi.vmware.
alwaysSync If set to false (or if no value is set), the TE Console will
optimize the vCenter syncing process by first checking for
events on the vCenter server that indicate a change in the
vCenter hierarchy. These events are TaskEvents (such as
rename, move an object) and PermissionEvents (such as
access permission deletion). If none of these types of events
exist on a vCenter node, Tripwire Enterprise will not attempt
to synchronize the node.

If set to true, the TE Console will always synchronize

vCenter nodes, bypassing the optimization check described
above. This guarantees that synchronization will always take
place on vCenter nodes.

Default Value: false

Widget (TE Specifies the source URL for TE Announcement widgets.

Announcements)
Source URL Default Value:
com.tripwire.space. com.tripwire.space.core.homepage.
core.homepage. announcements.url=https://www.tripwire.com
announcements.url /_widget/enterprise.cfm?type=3
Note: A source URL is the URL from which a Customer
Center Homepage Widget's content is downloaded from the
Customer Center.

Widget (Developer Specifies the source URL for Developer Blog widgets.
Blog) Source URL
com.tripwire.space. Default Value:
core.homepage. com.tripwire.space.core.homepage.
devBlogs.url devBlogs.url=https://www.tripwire.com
/_widget/enterprise.cfm?type=2

Widget (TE Forums) Specifies the source URL for TE Forum widgets.
Source URL
com.tripwire.space. Default Value:
core.homepage. com.tripwire.space.core.homepage.
forums.url forums.url=https://www.tripwire.com
/_widget/enterprise.cfm

Widget (TE Specifies the source URL for TE Knowledge Base widgets.
Knowledge Base)
Source URL Default Value:
com.tripwire.space. com.tripwire.space.core.homepage.
core.homepage. knowledgeBase.url=/plugins/console
knowledgeBase.url /communityKnowledgeBase.jsp

Tripwire Enterprise 9.0 Reference Guide 86 Chapter 3. System Properties

Tripwire Enterprise Agent Configuration Properties
Table 28 lists the configuration properties for Tripwire Enterprise (TE) Agent. These properties
can be set in the Agent configuration file (<te_root>/agent/data/config/agent.properties). If
you modify the property values in the configuration file, you must re-start the Agent service to
update the Agent (see Managing the Tripwire Enterprise Agent Service in the Tripwire
Enterprise Installation & Maintenance Guide).

Tip You can also configure most of these properties from the TE Console Node
Manager by selecting a node and clicking the Configure button.

Table 28. Configuration properties for TE Agent

Property Description
Active Directory GPO If false, Tripwire Enterprise Agent will include associated
Monitoring Group Policy settings when an Active Directory Group Policy
tw.ad.noGpoContent container is baselined or version checked.

If true, TE Agent will omit Group Policy settings from

baseline operations and version checks of Active Directory
Group Policy containers.

Default Value: false

AIX Audit File Location Specifies the location of the AIX audit event files.
tw.si.aix.audit.
Default Value:
defaultAuditFiles
/audit/trail
/audit/bin1
/audit/bin2

Audit Event Batch Size Specifies the number of audit events in each batch sent to
tw.fs.eventCacheSize the Tripwire Enterprise Server. Generally speaking, the
larger the batch size, the fewer times the Agent needs to
connect to the server and the fewer commits the server
needs to perform. 500 is usually a good value for large
deployments.
Default Value: 500

Audit Event Harvesting Indicates whether or not the Agent should prevent audit
tw.agent.noaudit event harvesting. True prevents audit event harvesting.

Default Value: false

Auto-synchronize Enabled Automatically synchronize the agent when it is out of sync;

tw.agent. the automatic synchronization will occur when the node is
restarted (if necessary), or for a specific rule during a check
autoSynchronizeEnabled or baseline if the data for that rule is out of sync..

Default Value: true

Tripwire Enterprise 9.0 Reference Guide 87 Chapter 3. System Properties

 Property Description
Concurrent Incoming Defines the number of incoming requests that can be
Requests executed concurrently before other requests are queued.
tw.rpc.exec. Normally this does not need to be adjusted.
threadPoolSize Default Value: 4

Debug Tracing If true, turns on debug tracing through Dbg.trace()

com.tripwire.trace calls.

Default Value: false

Default URLConnection Connect Specify the default connect timeout for the protocol handler
Timeout used by java.net.URLConnection.
sun.net.client.
defaultConnectTimeout Default Value: 1200000

Default URLConnection Read Timeout Specify the default read timeout for the protocol handler
sun.net.client. used by java.net.URLConnection.
defaultReadTimeout
Default Value: 1200000

Element Tracing If true, the Agent will trace all elements that are currently
tw.agent.debug. being baselined or version checked.
objects
Default Value: false

Element Version The maximum number of simultaneous threads used to

Pool Size send new element versions to the TE Server.
tw.agent.queueMax
Default Value: 10

Event Generator The maximum number of audit events to be pooled by an

Pool Size Agent. When this limit is reached, the Agent deletes all
tw.eg.manager. currently pooled events so new events can be received from
the Event Generator.
maxEvents
Default Value: 1,000,000

Event Generator Timeout The number of milliseconds a TE Agent will wait for an
tw.agent.generator. Event Generator to respond to a request.
readTimeout Default Value: 10,000 milliseconds (10 seconds)

Event Generator Transfer Defines the time interval for an Agent’s Event Generator to
Interval coalesce and transfer events to the Agent.
tw.agent.generator.
Default Value: 30,000 milliseconds (30 seconds)
coalescePeriod
Event Generator Windows Registry If true, an Agent configured to use the Event Generator as
Override an audit source will instead use the OS audit log for
tw.noEventGenerator. Windows Registry rules.
windowsRegistry
Default Value: false

Harvest All IP Addresses If true, an Agent will collect all IP addresses associated
tw.agent.harvest.ipAddress with a node. If false, an Agent will only collect the
IP address used to communicate with the TE Console.

Default Value: true

Tripwire Enterprise 9.0 Reference Guide 88 Chapter 3. System Properties

 Property Description
HP-UX Index File Name Set this if the name of the index file of the installed product
tw.hpux.indexFile catalog for an HP-UX install is not in the default location or
is non-standard.
Default Value: /var/adm/sw/products/INDEX

HP-UX Installation Sets the location of the installed product catalog for an HP-
Directory UX install if it is not in the default location.
tw.hpux.productDir
Default Value: /var/adm/sw/products

HP-UX Tracing Retrieves trace info from the HP-UX package cataloging on
com.tripwire.si. the Agent.
hpux.pkg.trace
Default Value: false

Launcher Debugging If true, turns on low-level startup debug tracing.

tw.launcher.debug
Default Value: false

Launcher Timeout The time used for the first retry timeout.
Initial Value
tw.launcher. Default Value: 5 seconds
timeout.initial
Launcher Timeout The maximum amount of time an Agent will wait to retry
Maximum registering with the Tripwire Enterprise Server.
tw.launcher.
Default Value: 1800 seconds (30 minutes)
timeout.max
Launcher Timeout The number by which the registration-retry timeout is
Multiplier multiplied after each retry failure.
tw.launcher.
Default Value: 1.5
timeout.multiplier
Launcher Timeout Salt The maximum amount of extra "random" time that should
tw.launcher.timeout. be added to each registration retry timeout in order to
prevent multiple Agents from continuously retrying in
salt lockstep.
Default Value: 5 seconds

Legacy Agent Communication Ciphers The ciphers used in SSL negotiation for TE Agent
tw.rmi.ciphers communication.
Default Value: TLS_ECDHE_ECDSA_WITH_AES_256_
GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

Legacy Agent Communication TLS A comma-separated list of TLS protocols used in SSL
protocols negotiation for TE Agent communication.
tw.rmi.clientProtocols
Default Value: TLSv1.2, TLSv1

Legacy Agent Communication TLS A comma-separated list of TLS protocols used in SSL
protocols negotiation for TE Agent communication.
tw.rmi.serverProtocols
Default Value: TLSv1.2, TLSv1

Tripwire Enterprise 9.0 Reference Guide 89 Chapter 3. System Properties

 Property Description
Linux Package Database Location Sets the location of the package database if it is not stored
tw.linux.pkgDir in the default location.

Default Value:/var/lib/rpm

Logging for Checks and Baselines If true, produces debug output for version checks and
tw.agent.ruleRun.trace baselines on the Agent.

Default Value: false

Logging for Event Generator Audit If true, produces debug output for every audit event the
Events Agent receives from the Event Generator.
tw.agent.eventGenerator.logEvents
Default Value: false

Logging for Event Generator If true, produces debug output about the Agent's control
Operations of the Event Generator.
tw.agent.eventGenerator.trace
Default Value: false

Oracle Cipher Suites These are the cipher suites to use in SSL negotiation with
tw.oracle.net. Oracle database servers. This value is a comma-delimited
list of standard SSL cipher suites.
ssl_cipher_suites
Default Value:
TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_
AES_128_CBC_SHA

Oracle Connection The timeout, in seconds, for making an SSL connection with
Timeout an Oracle database.
tw.oracle.net.
Default Value: 30 seconds
ssl_login_timeout
Oracle Server SSL The version of SSL to use for communication with Oracle
Version database servers. Possible values are ANY, 3.1 (which
tw.oracle.net. maps to TLS 1.0), and 3.0. When ANY is used, TLS 1.0 is
ssl_version tried first, then SSL 3.0, in that order.
Default Value: ANY

Package Batch Size Specifies the batch size for package entries that are sent to
tw.fs. the Tripwire Enterprise Server. Generally speaking, the
larger the batch size, the fewer times the Agent needs to
packageEntryCacheSize connect to the server and the fewer commits the server
needs to perform. 5000 is usually a good value for large
deployments.
Default Value: 5000

Package Cataloging Indicates whether or not the Agent should prevent package
tw.agent.nopkg cataloging. "True" prevents package cataloging.

Default Value: false

Package Database Sets the location of the package database if it is not stored
Location in the default location. This is an Agent configuration
tw.linux.pkgDir object.
Default Value: /var/lib/rpm

Tripwire Enterprise 9.0 Reference Guide 90 Chapter 3. System Properties

 Property Description
Prevent Automatic Remediation If true, this setting prevents Tripwire Enterprise from
tw.agent. running automated remediation on the Agent.
preventRemediation
This setting cannot be accessed from the Tripwire
Enterprise Console; it must be set by editing the Agent
configuration file directly.

Default Value: false

Prevent COCR Commands If true, Tripwire Enterprise does not allow COCR
tw.agent.prevent commands to be run on the Agent.
CommandLineExecution
Default Value: false

Prevent Execution Actions If true, Tripwire Enterprise does not allow execution
tw.agent. actions to be run on the Agent.
preventExecutionActions
Default Value: false

Real-Time Monitoring Defines the amount of time between real-time version

Interval checks run by an Agent.
tw.agent.audit.
Default Value: 60,000 milliseconds (1 minute)
harvestPeriod
Real-Time Posting Limit If real-time monitoring is enabled for the Agent, and the
tw.agent.maxRepostSize Agent is temporarily unable to send element versions and
audit events to the TE Server, this property establishes the
maximum amount of data to be saved by the Agent. When
this limit is reached, the Agent deletes all currently saved
element versions and audit events, and then restarts itself.
Default Value: 1 GB (in bytes)

Real-Time Rule Limit The maximum number of rules that can be used to run real-
tw.agent.realtime. time version checks of the Agent in a single Real-Time
Monitoring Interval (defined by
checkThreads
tw.agent.audit.harvestPeriod).
Default Value: 4

Remediation Backup Directory Path When remediation scripts back up files, they will use this
tw.agent.remediation. directory path as the location for those backups.
backup.dir
Default Value: ${tw.home}${/}data${/}backup

Remote Request Thread Priority The default priority for threads that execute incoming
tw.rpc.exec. remote requests from the Tripwire Enterprise Server.
Normally does not need to be adjusted.
threadPriority
Default Value: 5

Tripwire Enterprise 9.0 Reference Guide 91 Chapter 3. System Properties

 Property Description
Require Whitelist By default, if a whitelist file is present on an Agent, that
tw.agent.exec. Agent will use the whitelist. However, you can edit an
Agent's configuration file to require that a whitelist is
requireWhitelist always used.

If this setting is present and is set to true, no commands

initiated by Tripwire Enterprise can be executed on an
Agent if a whitelist file does not exist on the Agent.
This setting cannot be accessed from the Tripwire
Enterprise Console; it must be set by editing the Agent
configuration file directly.
Default Value: Not present by default

RMI Client Protocols A comma-separated list of TLS protocols used by RMI client
tw.rmi. sockets.
clientProtocols
Default Value: TLSv1

RMI Server Protocols A comma-separated list of TLS protocols used by RMI

tw.rmi. server sockets.
serverProtocols
Default Value: TLSv1 (for systems with FIPS mode
enabled) or
TLSv1, SSLv2Hello (for systems without FIPS mode
enabled)

RSA Key Size Controls the size of RSA keys generated for the RMI host
tw.channel. CA, RMI client, and RMI server for the TE Agent.
rsaKeySize
Default Value: 4096

Sleep/Yield Setting If set to greater than one, this property performs a sleep
tw.agent.niceLevel after each snapshot is taken. If set to one, a yield is
performed instead of a sleep.
Default Value: 0

Solaris Package (Solaris only) Specifies where the Solaris package contents
Contents File file is stored if in a location other than the default.
tw.posix.pkgContents
Default Value: /var/sadm/install/contents

Solaris Package Location (Solaris only) Specifies where the Solaris packages are
tw.posix.pkgDir stored if in a location other than the default.
Default Value: /var/sadm/pkg

Start Point Limit For a single rule, specifies the maximum number of start
tw.agent.element. points that TE can simultaneously use to detect changes
during a version check. If the number of start points in a
poolSize rule exceeds this limit, additional start points are pooled
until another start point completes its check. (Does not
apply to real-time version checks.)
Default Value: 6

TE Proxy Hostname The hostname or IP address of the TE Proxy that the Agent
tw.proxy.host should use.

Tripwire Enterprise 9.0 Reference Guide 92 Chapter 3. System Properties

 Property Description
TE Proxy Port The port on which the TE Proxy accepts connections.
tw.proxy.port
Default Value: 1080

TE Server Hostname The hostname of the TE Server to which the Agent will
tw.server.host connect.
Default Value: localhost

Task Thread Priority Changes the thread priority on TE Console task threads.
tw.agent.taskPriority
Default Value: 4

Use HTTPS for Certificate Signing Specifies which port the Agent uses to connect to a
tw.te.crypto. TE Console for certificate signing requests.
useHttpsForSideband
If set to true, the Agent will attempt a certificate signing
CertificateSigning request using port 443 instead of the default 8080.

Default Value: false

Version Batch Size Specifies the number of new baseline versions and/or
tw.agent. change versions that are collected into a batch before being
sent to the Tripwire Enterprise Server.
changeBlockSize
l A larger batch size will perform fewer transfers from
the Agent to the server, but each transfer will be larger.
l A check that finds no changes will not send any batches
to the server.
Default Value: 500 (Maximum value = 1000)

Version Cache Timeout Timeout, in milliseconds, to use when trying to acquire the
tw.agent.versionCache.timeout Agent's version cache.
Default Value: 120000

VMware Certificate Validation With the default value (false), the Agent authenticates
tw.vi.vmware.ignoreCerts SSL certificates received from VMware VirtualCenters and
ESXi Servers. To configure an Agent to trust any SSL
certificate received from VMware VirtualCenters and ESXi
Servers, set it to true.

Note: Starting with Tripwire Enterprise 8.4.1, TE Agents in

FIPS mode require authentication for SSL connections,
even if this setting is true. For more information about
FIPS, see Configuring FIPS Mode in the Tripwire Enterprise
Hardening Guide, available from the Tripwire Customer
Center.

Default Value: false

Tripwire Enterprise 9.0 Reference Guide 93 Chapter 3. System Properties

 Chapter 4.
Windows RSoP
Attributes
Windows RSoP Attributes
The following tables list the Group Policy settings identified by a Windows RSoP rule, along
with the path to each setting in the Security Policy Editors on a Windows 2003 system. When
Tripwire Enterprise uses a Windows RSoP rule to create an element version, the values of these
settings are saved as attributes in the element version. For more information about Windows
RSoP rules, see How Does a Windows RSoP Rule Work? in the Tripwire Enterprise User Guide.

Notes A Windows RSoP rule also identifies the RequireLogonToChangePassword

setting, which is inaccessible from the Security Policy Editors in Windows
2003.

Microsoft Windows 7 and Windows Server 2008 support a more granular

approach to audit configuration using Audit Policy Subcategories (see Table 33
on page 99). These new policy settings are not visible within the Local Security
Policy application for versions of Windows earlier than Windows Server 2008
R2. Windows Server 2008 requires use of the auditpol.exe command-line
utility to list and configure them.

Table 29. Group Policy settings identified by Windows RSoP rules - Restricted Groups

Attribute Name in
Path in Security Policy Editors of Windows 2003 Tripwire Enterprise
Restricted Groups RestrictedGroup.<name_of_
group>.MemberOf

Restricted Groups RestrictedGroup.<name_of_

group>.Members

Tripwire Enterprise 9.0 Reference Guide 95 Chapter 4. Windows RSoP Attributes

 Table 30. Group Policy settings identified by Windows RSoP rules - Account Policies

Attribute Name in
Path in Security Policy Editors of Windows 2003 Tripwire Enterprise
Account Policies > Account Lockout Policy > Account lockout duration LockoutDuration

Account Lockout Policy > Account lockout threshold LockoutBadCount

Account Lockout Policy > Reset account lockout counter after ResetLockoutCount

Kerberos Policy > Enforce user logon restrictions TicketValidateClient

Kerberos Policy > Maximum lifetime for service ticket MaxServiceAge

Kerberos Policy > Maximum lifetime for user ticket MaxTicketAge

Kerberos Policy > Maximum lifetime for user ticket renewal MaxRenewAge

Kerberos Policy > Maximum tolerance for computer clock MaxClockSkew

synchronization

Password Policy > Enforce password history PasswordHistorySize

Password Policy > Maximum password age MaximumPasswordAge

Password Policy > Minimum password age MinimumPasswordAge

Password Policy > Minimum password length MinimumPasswordLength

Password Policy > Password must meet complexity requirements PasswordComplexity

Password Policy > Store passwords using reversible encryption ClearTextPassword

Tripwire Enterprise 9.0 Reference Guide 96 Chapter 4. Windows RSoP Attributes

 Table 31. Group Policy settings identified by Windows RSoP rules - Local Policies

Attribute Name in
Path in Security Policy Editors of Windows 2003 Tripwire Enterprise
Audit Policy > Audit account logon events AuditAccountLogon

Audit Policy > Audit account management AuditAccountManage

Audit Policy > Audit directory server access AuditDSAccess

Audit Policy > Audit logon events AuditLogonEvents

Audit Policy > Audit object access AuditObjectAccess

Audit Policy > Audit policy change AuditPolicyChange

Audit Policy > Audit privilege use AuditPrivilegeUse

Audit Policy > Audit process tracking AuditProcessTracking

Audit Policy > Audit system events AuditSystemEvents

Security Options > Accounts: Administrator account status EnableAdminAccount

Security Options > Accounts: Guest account status EnableGuestAccount

Security Options > Accounts: Rename administrator account NewAdministratorName

Security Options > Accounts: Rename guest account NewGuestName

Security Options > Network security: Force logoff when logon ForceLogoffWhenHourExpire
hours expire

Security Options > Network access: Allow anonymous SID/Name LSAAnonymousNameLookup

translation

User Rights Assignment > Access this computer from the network NetworkLogonRight

User Rights Assignment > Act as part of the operating system TcbPrivilege

User Rights Assignment > Add workstations to domain MachineAccountPrivilege

User Rights Assignment > Adjust memory quotes for a process IncreaseQuotaPrivilege

Security Options > Allow log on locally InteractiveLogonRight

User Rights Assignment > Allow logon through Terminal Services RemoteInteractiveLogonRight

User Rights Assignment > Back up files and directories BackupPrivilege

User Rights Assignment > Bypass traverse checking ChangeNotifyPrivilege

User Rights Assignment > Change the system time SystemTimePrivilege

User Rights Assignment > Create a pagefile CreatePageFilePrivilege

User Rights Assignment > Create a token object CreateTokenPrivilege

User Rights Assignment > Create permanent shared objects CreatePermanentPrivilege

User Rights Assignment > Debug programs DebugPrivilege

User Rights Assignment > Deny access to this computer from the DenyNetworkLogonRight
network

Tripwire Enterprise 9.0 Reference Guide 97 Chapter 4. Windows RSoP Attributes

 Attribute Name in
Path in Security Policy Editors of Windows 2003 Tripwire Enterprise
User Rights Assignment > Deny log on as a batch job DenyBatchLogonRight

User Rights Assignment > Deny log on as a service DenyServiceLogonRight

User Rights Assignment > Deny log on locally DenyInteractivelogonRight

User Rights Assignment > Deny logon through Terminal Services DenyRemoteInteractiveLogonRight

User Rights Assignment > Enable computer and user accounts to EnableDelegationPrivilege
be trusted for delegation

User Rights Assignment > Force shutdown from a remote system RemoteShutdownPrivilege

User Rights Assignment > Generate security audits AuditPrivilege

User Rights Assignment > Impersonate a client after ImpersonatePrivilege

authentication

User Rights Assignment > Increase scheduling priority IncreaseBasePriorityPrivilege

User Rights Assignment > Load and unload device drivers LoadDriverPrivilege

User Rights Assignment > Lock pages in memory LockMemoryPrivilege

User Rights Assignment > Log on as a batch job BatchLogonRight

User Rights Assignment > Log on as a service ServiceLogonRight

User Rights Assignment > Manage auditing and security log SecurityPrivilege

User Rights Assignment > Modify firmware environment values SystemEnvironmentPrivilege

User Rights Assignment > Perform volume maintenance tasks ManageVolumePrivilege

User Rights Assignment > Profile single process ProfileSingleProcessPrivilege

User Rights Assignment > Profile system performance SystemProfilePrivilege

User Rights Assignment > Remove computer from docking UndockPrivilege

station

User Rights Assignment > Replace a process level token AssignPrimaryTokenPrivilege

User Rights Assignment > Restore files and directories RestorePrivilege

User Rights Assignment > Shut down the system ShutdownPrivilege

User Rights Assignment > Synchronize directory service data SyncagentPrivilege

User Rights Assignment > Take ownership of files or other objects TakeOwnershipPrivilege

Tripwire Enterprise 9.0 Reference Guide 98 Chapter 4. Windows RSoP Attributes

 Table 32. Group Policy settings identified by Windows RSoP rules - Event Log

Attribute Name in
Path in Security Policy Editors of Windows 2003 Tripwire Enterprise
Settings for Event Log > Maximum application log size ApplicationLog.MaximumLogSize

Settings for Event Log > Maximum security log size SecurityLog.MaximumLogSize

Settings for Event Log > Maximum system log size SystemLog.MaximumLogSize

Settings for Event Log > Prevent local guests group from ApplicationLog.
accessing application log RestrictGuestAccess

Settings for Event Log > Prevent local guests group from SecurityLog.RestrictGuestAccess
accessing security log

Settings for Event Log > Prevent local guests group from SystemLog.RestrictGuestAccess
accessing system log

Settings for Event Log > Retain application log ApplicationLog.RetentionDays

Settings for Event Log > Retain security log SecurityLog.RetentionDays

Settings for Event Log > Retain system log SystemLog.RetentionDays

Settings for Event Log > Retention method for ApplicationLog.

application log AuditLogRetentionPeriod

Settings for Event Log > Retention method for security SecurityLog.
log AuditLogRetentionPeriod

Settings for Event Log > Retention method for system SystemLog.
log AuditLogRetentionPeriod

Table 33. Advanced Audit Policy settings identified by Windows RSoP rules

Path in Security Policy Editors Attribute Name in

(Windows Vista and later) Tripwire Enterprise
Advanced Audit Policy Configuration > Account Logon > AuditAccountLogon: Credential Validation
Audit Credential Validation

Advanced Audit Policy Configuration > Account Logon > AuditAccountLogon: Kerberos Authentication
Audit Kerberos Authentication Service Service

Advanced Audit Policy Configuration > Account Logon > AuditAccountLogon: Kerberos Service Ticket
Audit Kerberos Service Ticket Operations Operations

Advanced Audit Policy Configuration > Account Logon > AuditAccountLogon: Other Account Logon
Audit Other Account Logon Events Events

Advanced Audit Policy Configuration > Account AuditAccountManage: Application Group

Management > Audit Application Group Management Management

Advanced Audit Policy Configuration > Account AuditAccountManage: Computer Account

Management > Audit Computer Account Management Management

Advanced Audit Policy Configuration > Account AuditAccountManage: Distribution Group

Management > Audit Distribution Group Management Management

Tripwire Enterprise 9.0 Reference Guide 99 Chapter 4. Windows RSoP Attributes

 Path in Security Policy Editors Attribute Name in
(Windows Vista and later) Tripwire Enterprise
Advanced Audit Policy Configuration > Account AuditAccountManage: Other Account
Management > Audit Other Account Management Management Events
Events

Advanced Audit Policy Configuration > Account AuditAccountManage: Security Group

Management > Audit Security Group Management Management

Advanced Audit Policy Configuration > Account AuditAccountManage: User Account

Management > Audit User Account Management Management

Advanced Audit Policy Configuration > Detailed Tracking AuditProcessTracking: DPAPI Activity
> Audit DPAPI Activity

Advanced Audit Policy Configuration > Detailed Tracking AuditProcessTracking: Process Creation
> Audit Process Creation

Advanced Audit Policy Configuration > Detailed Tracking AuditProcessTracking: Process Termination
> Audit Process Termination

Advanced Audit Policy Configuration > Detailed Tracking AuditProcessTracking: RPC Events
> Audit RPC Events

Advanced Audit Policy Configuration > DS Access > AuditDSAccess: Detailed Directory Service
Audit Detailed Service Replication Replication

Advanced Audit Policy Configuration > DS Access > AuditDSAccess: Directory Service Access
Audit Directory Service Access

Advanced Audit Policy Configuration > DS Access > AuditDSAccess: Directory Service Changes
Audit Directory Service Changes

Advanced Audit Policy Configuration > DS Access > AuditDSAccess: Directory Service Replication
Audit Directory Service Replication

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: Account Lockout
Audit Account Lockout

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: IPsec Extended Mode
Audit IPsec Extended Mode

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: IPsec Main Mode
Audit IPsec Main Mode

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: IPsec Quick Mode
Audit IPsec Quick Mode

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: Logoff

Audit Logoff

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: Logon

Audit Logon

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: Network Policy Server
Audit Network Policy Server

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: Other Logon/Logoff Events
Audit Other Logon/Logoff Events

Advanced Audit Policy Configuration > Logon/Logoff > AuditLogonEvents: Special Logon
Audit Special Logon

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: Application Generated
Audit Application Generated

Tripwire Enterprise 9.0 Reference Guide 100 Chapter 4. Windows RSoP Attributes
 Path in Security Policy Editors Attribute Name in
(Windows Vista and later) Tripwire Enterprise
Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: Certification Services
Audit Certification Services

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: File Share
Audit File Share

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: File System
Audit File System

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: Filtering Platform
Audit Filtering Platform Connection Connection

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: Filtering Platform Packet
Audit Filtering Platform Packet Drop Drop

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: Handle Manipulation
Audit Handle Manipulation

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: Kernel Object
Audit Kernel Object

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: Other Object Access Events
Audit Other Object Access Events

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: Registry
Audit Registry

Advanced Audit Policy Configuration > Object Access > AuditObjectAccess: SAM
Audit SAM

Advanced Audit Policy Configuration > Policy Change > AuditPolicyChange: Audit Policy Change
Audit Audit Policy Change

Advanced Audit Policy Configuration > Policy Change > AuditPolicyChange: Authentication Policy
Audit Authentication Policy Change Change

Advanced Audit Policy Configuration > Policy Change > AuditPolicyChange: Authorization Policy
Audit Authorization Policy Change Change

Advanced Audit Policy Configuration > Policy Change > AuditPolicyChange: Filtering Platform Policy
Audit Filtering Platform Policy Change Change

Advanced Audit Policy Configuration > Policy Change > AuditPolicyChange: MPSSVC Rule-Level Policy
Audit MPSSVC Rule-Level Policy Change Change

Advanced Audit Policy Configuration > Policy Change > AuditPolicyChange: Other Policy Change Events
Audit Other Policy Change Events

Advanced Audit Policy Configuration > Privilege Use > AuditPrivilegeUse: Non Sensitive Privilege Use
Audit Non Sensitive Privilege Use

Advanced Audit Policy Configuration > Privilege Use > AuditPrivilegeUse: Other Privilege Use Events
Audit Other Privilege Use Events

Advanced Audit Policy Configuration > Privilege Use > AuditPrivilegeUse: Sensitive Privilege Use
Audit Sensitive Privilege Use

Advanced Audit Policy Configuration > System > Audit AuditSystemEvents: IPsec Driver
IPsec Driver

Advanced Audit Policy Configuration > System > Audit AuditSystemEvents: Other System Events
Other System Events

Tripwire Enterprise 9.0 Reference Guide 101 Chapter 4. Windows RSoP Attributes
 Path in Security Policy Editors Attribute Name in
(Windows Vista and later) Tripwire Enterprise
Advanced Audit Policy Configuration > System > Audit AuditSystemEvents: Security State Change
Security State Change

Advanced Audit Policy Configuration > System > Audit AuditSystemEvents: Security System Extension
Security System Extension

Advanced Audit Policy Configuration > System > Audit AuditSystemEvents: System Integrity
System Integrity

Tripwire Enterprise 9.0 Reference Guide 102 Chapter 4. Windows RSoP Attributes
Index

AAA log messages

formats 75
that trigger version checks 74
AAA Log Monitoring Tool
about 71
installing 72
introduction 72
log files 73
running 73
system requirements 72
arguments
defined for the CLI 10

baselining
elements with the CLI 27

checking
nodes for changes with the CLI 29
CLI
see Command Line Interface (CLI) 13
Command Line Interface (CLI)
about 9
baselining elements 27
checking nodes for changes 29
command format and standards 16
commands 10
commands, options, and arguments defined 10
common options defined 19
configuring the Event Generator 62

Tripwire Enterprise 9.0 Reference Guide 103 Index

 creating Launch in Context URLs 67
creating TE user accounts 57
defining common options 18
defining variables with 26
deleting Tripwire Enterprise objects 46
disabling and enabling version checks 31
installing 13
installing strong encryption 15
limiting commands to specific nodes and elements 22
managing node licenses 33
online help 17
options used to specify node groups, nodes, and elements 24
promoting by reference 38
promoting element versions 35
renaming TE objects 48
restarting nodes 32
running a task 54
running actions 55
running reports 50
setting custom property values 65
version number 69
commands
defined for the CLI 10
format and standards for the CLI 16
limiting to specific nodes and elements in the CLI 22
types of CLI commands 10
configuration properties for Tripwire Enterprise Agent
Active Directory GPO Monitoring (tw.ad.noGpoContent) 87
AIX Audit File Location (tw.si.aix.audit.defaultAuditFiles) 87
Audit Event Batch Size (tw.fs.eventCacheSize) 87
Audit Event Harvesting (tw.agent.noaudit) 87
Auto-synchronize Enabled (tw.agent.autoSynchronizeEnabled) 87
Concurrent Incoming Requests (tw.rpc.exec.threadPoolSize) 88
Debug Tracing (com.tripwire.trace) 88
Default URLConnection Connect Timeout (sun.net.client.defaultConnectTimeout) 88
Default URLConnection ReadTimeout (sun.net.client.defaultReadTimeout) 88
defined 87
Element Tracing (tw.agent.debug.objects) 88
Element Version Pool Size (tw.agent.queueMax) 88

Tripwire Enterprise 9.0 Reference Guide 104 Index

 Event Generator Pool Size (tw.eg.manager.maxEvents) 88
Event Generator Timeout (tw.agent.generator.readTimeout) 88
Event Generator Transfer Interval (tw.agent.generator.coalescePeriod) 88
Harvest All IP Addresses (tw.agent.harvest.ipAddress) 88
HP-UX Index File Name (tw.hpux.IndexFile) 89
HP-UX Installation Directory (tw.hpux.productDir) 89
HP-UX Tracing (com.tripwire.si.hpux.pkg.trace) 89
Launcher Debugging (tw.launcher.debug) 89
Launcher Timeout Initial Value (tw.launcher.timeout.initial) 89
Launcher Timeout Maximum (tw.launcher.timeout.max) 89
Launcher Timeout Multiplier (tw.launcher.timeout.multiplier) 89
Launcher Timeout Salt (tw.launcher.timeout.salt) 89
Legacy Agent Communication Ciphers (tw.rmi.ciphers) 89
Legacy Agent Communication TLS protocols (tw.rmi.clientProtocols) 89
Legacy Agent Communication TLS protocols (tw.rmi.serverProtocols) 89
Linux Package Database Location (tw.linux.pkgDir) 90
Logging for Checks and Baselines (tw.agent.ruleRun.trace) 90
Logging for Event Generator Audit Events (tw.agent.eventGenerator.logEvents) 90
Logging for Event Generator Operations (tw.agent.eventGenerator.trace) 90
Package Batch Size (tw.fs.packageEntryCacheSize) 90
Package Cataloging (tw.agent.nopkg) 90
Package Database Location (tw.linux.pkgDir) 90
Prevent Automatic Remediation(tw.agent.preventRemediation) 91
Prevent COCR Commands (tw.agent.preventCommandLineExecution) 91
Real-Time Monitoring Interval (tw.agent.audit.harvestPeriod) 91
Real-Time Posting Limit (tw.agent.maxRepostSize) 91
Real-Time Rule Limit (tw.agent.realtime.checkThreads) 91
Remediation Backup Directory Path (tw.agent.remediation.backup.dir) 91
Remote Request Thread Priority (tw.rpc.exec.threadPriority) 91
Require Whitelist (tw.agent.exec.requireWhitelist) 92
RMI Client Protocols (tw.rmi.clientProtocols) 92
RMI Server Protocols (tw.rmi.serverProtocols) 92
RSA Key Size (tw.channel.rsaKeySize) 92
Sleep/Yield Setting (tw.agent.niceLevel) 92
Solaris Package Contents File (tw.posix.pkgContents) 92
Solaris Package Location (tw.posix.pkgDir) 92
Start Point Limit (tw.agent.element.poolSize) 92
Task Thread Priority (tw.agent.taskPriority) 93
TE Proxy Hostname (tw.proxy.host) 92
TE Proxy Port (tw.proxy.port) 93

Tripwire Enterprise 9.0 Reference Guide 105 Index

 TE Server Hostname (tw.server.host) 93
Use HTTPS for Certificate Signing (tw.te.crypto.useHttpsForSidebandCertificateSigning) 93
Version Batch Size (tw.agent.changeBlockSize) 93
Version Cache Timeout (tw.agent.versionCache.timeout) 93
VMware Certificate Validation (tw.vi.vmware.ignoreCerts) 93
configuration properties for Tripwire Enterprise Console
Active Directory GPO Monitoring (tw.ad.noGpoContent) 77
Agent Baseline Check Limit (tw.concurrentAgents) 77
Agent Ping Rate (tw.agent.ping) 77
Agent Restart Limit (tw.agent.restart.poolSize) 77
Agent Restart Timeout (tw.agent.restart.timeout) 77
Agent Reverse Lookup (tw.agent.restart.reverseLookup) 78
Agent Synchronization Limit (tw.agentCallback.poolSize) 78
Agent Task Logging (tw.agent.debug) 78
Allow Legacy FIPS (tw.te.crypto.allow_legacy_fips) 78
Audit Event Batch Size (tw.fs.eventCacheSize) 78
Audit Event Harvesting (tw.agent.noaudit) 78
Auto Certificate Signing (tw.te.crypto.sideband_signaling_disabled) 78
Baseline on First Rule Run (tw.baseline.on.first.check) 79
Change Consumer Limit (tw.changeConsumers) 79
Concurrent Incoming Requests (tw.rpc.exec.threadPoolSize) 79
Concurrent Report Tasks (tw.tasks.reportTaskConcurrency) 79
Concurrent Rule Tasks (tw.tasks.ruleTaskConcurrency) 79
Concurrent Task Threads (tw.task.threadPoolSize) 79
Debug Tracing (com.tripwire.trace) 79
defined 77
Disable Customer Center Widgets (com.tripwire.ui. homepage.disable CustomerCenterWidgets) 80
Display Harvested Log Messages (tw.elementVersion.displayLogMessagesForFirstVersion) 80
E-mail Server Timeout (com.tripwire.mail.smtp.timeout) 80
Execution Action Log Messages (tw.rexec. nonzerostatus.log) 80
Global TE Session Timeout Setting (tw.shiro.session.timeout.minutes) 80
HP-UX Tracing (com.tripwire.si.hpux.pkg.trace) 80
HTTP Non-blocking I/O (tw.http.nio) 80
HTTP Request Handler Pool Size (tw.http.poolSize) 80
HTTP Request Handler Queue Size (tw.http.queueSize) 80
HTTPS Request Handler Pool Size (tw.https.poolSize) 80
Launcher Debugging (tw.launcher.debug) 80
Launcher Timeout Initial Value (tw.launcher.timeout.initial) 81
Launcher Timeout Maximum (tw.launcher.timeout.max) 81
Launcher Timeout Multiplier (tw.launcher.timeout.multiplier) 81

Tripwire Enterprise 9.0 Reference Guide 106 Index

 Launcher Timeout Salt (tw.launcher.timeout.salt) 81
Legacy Agent Communication Ciphers (tw.rmi.ciphers) 81
Legacy Agent Communication TLS protocols (tw.rmi.clientProtocols) 81
Legacy Agent Communication TLS protocols (tw.rmi.serverProtocols) 81
MySQL Database SSL Mode (tw.database.mysql.ssl) 81
Oracle Cipher Suites (tw.oracle.net.ssl_cipher_suites) 90
Oracle Connection Timeout (tw.oracle.net.ssl_login_timeout) 90
Oracle Server SSL Version (tw.oracle.net.ssl_version) 90
Package Batch Size (tw.fs.packageEntryCacheSize) 81
Package Cataloging (tw.agent.nopkg) 81
Prevent Promotion Log Messages (tw.promote.noLogging) 81
Real-Time Action Interval (tw.server.realTime.scopePeriod) 82
Real-Time Element Maximum (tw.server.realTime.maxElements) 82
Remote Request Thread Priority (tw.rpc.exec.threadPriority) 82
Restore Timeout (com.tripwire.tftp.availability) 82
RMI Client Protocols (tw.rmi.clientProtocols) 82
RMI Server Protocols (tw.rmi.serverProtocols) 82
RSA Key Size (tw.channel.rsaKeySize) 82
Run Command Output Capture Rules Synchronously (tw.cecr.forceSync) 82
Run File System Rules Synchronously (tw.fsi.forceSync) 82
Security Audit Logging (tw.securityAuditLog.enabled) 83
Sleep/Yield Setting (tw.agent.niceLevel) 83
Start Point / Stop Point Container Objects (tw.filter.accept.directories) 83
System Lock Debugging (com.tripwire.locking.debug) 83
Task Thread Priority (tw.agent.taskPriority) 83
TE Console Database Connection Deadlock (tw.database.deadlockTimeout) 83
TE Console Database Connection Limit (tw.database.maxConnections) 84
TE Console Database Connection Timeout (tw.database.maxConnectionLease) 84
TE Console Database Connection Usages (tw.database.maxConnectionUsages) 84
TE Console Database Host (tw.database.host) 84
TE Console Database Pagesize Limit (tw.database.paging.lookAheadRows) 84
TE Console Database Passphrase (tw.database.passphrase) 84
TE Console Database Path (tw.database.path) 84
TE Console Database Port (tw.database.port) 84
TE Console Database Statement Cache(tw.database.statementCacheSize) 84
TE Console Database Type (tw.database.type) 85
TE Console Database User (tw.database.user) 85
TE Proxy Interface Map (tw.proxy.nicMap) 85
Telnet Tracing (com.tripwire.common.net.telnet.debug) 85
Temporary Report File Deletion(tw.tempfilemanager.fileLifespanMins) 85

Tripwire Enterprise 9.0 Reference Guide 107 Index

 TFTP Access Timeout (com.tripwire.tftp.access) 85
TFTP Server Thread Priority (com.tripwire.common.net.tftp.priority) 85
TFTP Tracing (com.tripwire.common.net.tftp.debug) 85
Tomcat File Size Limit (tw.webserver.maxUploadSize) 85
vCenter Node Sync (tw.vi.vmware.alwaysSync) 86
Version Batch Size (tw.agent.changeBlockSize) 85
Widget (Developer Blog) Source URL (com.tripwire.space.core.homepage.devBlogs.url) 86
Widget (TE Announcements) Source URL (com.tripwire.space.core.homepage.announcements.url) 86
Widget (TE Forums) Source URL (com.tripwire.space.core.homepage.forums.url) 86
Widget (TE Knowledge Base) Source URL (com.tripwire.space.core.homepage.knowledgeBase.url) 86
Windows Registry Rule Synchronization (tw.winreg.forceSync) 83
creating
Launch in Context URLs with the CLI 67

deleting
Tripwire Enterprise objects with the CLI 46

encryption
strong encryption for CLI 15
Event Generators
configuring with the CLI 62
exporting
Tripwire Enterprise objects with the CLI 40

formats
for AAA log messages 75

global variables
defining with the CLI 26
Group Policy
settings identified by Windows RSoP rules 95

Tripwire Enterprise 9.0 Reference Guide 108 Index

H

help
for the CLI 17

importing
Tripwire Enterprise objects with the CLI 43
installing
the AAA Log Monitoring Tool 72
the CLI 13
the strong encryption JRE for the CLI 15

license files
managing with the CLI 33
viewing with the CLI 64
local variables
defining with the CLI 26
log files
for the AAA Log Monitoring Tool 73
log messages
creating with the CLI 59

options
common options for the CLI 19
defined for the CLI 10
setting common options with the CLI 18
used to specify node groups, nodes, and elements in the CLI 24

promoting
element versions with the CLI 35

Tripwire Enterprise 9.0 Reference Guide 109 Index

promoting by reference
with the CLI 38

Radius (Livingston)
accounting format sample 75
reports
running with the CLI 50
requirements
for AAA Log Monitoring Tool 72
REST API
for TE Console 9
restarting
Tripwire Enterprise Agents with the CLI 32
running
a task with the CLI 54
actions with the CLI 55
reports with the CLI 50
the AAA Log Monitoring Tool 73

setting
common options with the CLI 18
custom property values with the CLI 65
strong encryption
installing for CLI 15

Tripwire Enterprise Agent

configuration properties 87
managing licenses with the CLI 33
restarting with the CLI 32
Tripwire Enterprise Console
configuration properties 77
REST API 9

Tripwire Enterprise 9.0 Reference Guide 110 Index

U

user accounts
creating with the CLI 57

variables
defining with the CLI 26
version checking
disabling with the CLI 31
version checks
triggered by AAA log messages 74
viewing
the CLI version number 69

Windows RSoP rules

Group Policy settings identified by 95

Tripwire Enterprise 9.0 Reference Guide 111 Index