An action is a Tripwire Enterprise object that initiates a response to detected changes. You can run any action as part of a version check. In addition, some actions can be run manually in the Node Manager with the Run Actions feature.
By running actions with a version check, you can ensure a timely and appropriate response to detected changes. To run an action with a version check, you first associate the action with a rule or check rule task. If the version check results in the creation of change versions, Tripwire Enterprise automatically executes the applicable actions. (For further details, seeAbout Version Checks on page 44.)
Action types are grouped in the following categories:
l Common actions can be run in response to detected changes in all types of monitored systems (seeTable 36 on the next page).
l Conditional actions run one response if a detected change meets specified conditions, or another response if the conditions are not met. In either case, a response could be a TE action, action group, or no action. For more information, seeHow Does a Conditional Action Work? on page 119.
l A network device action can only be run in response to detected changes in network devices (seeTable 37 on page 112).
In the Action Manager, you can create action groups to organize the actions in your TE implementation. For more information, seeHow Does an Action Group Work? on page 114.
For more information, see:
l Using the Run Actions Feature (on page 395)
l Running Actions with Version Checks (on page 113)
Action
Type Description
E-mail An e-mail action sends an e-mail notification to specified recipients. For more details, see How Does an E-mail Action Work? on page 114.
Execution An execution action runs a command on either the TE Server or an Agent. For more information, seeHow Does an Execution Action Work? on page 115.
Outside Change Window
Created by default when TE is installed, this action indicates if a detected change occurred within the time frame specified by an authorized maintenance window. For further details, seeHow Does the Outside Change Window Action Work? on page 116.
Note: This action cannot be deleted, and the name and description cannot be changed.
Promote-by-match
A promote-by-match action runs a promote-by-match operation. To do so, TE uses a matching strategy and match file specified by the action. (The match file must reside on your TE Server.)
For more information, see:
l What is the By-Match Selection Method? (on page 71)
l Creating a Promote Action (on page 481)
Note: This action can 1) add a comment to each current baseline created by the action, and 2) limit the scope of the promotion to specific software-installation packages (see Promotion and Software-Installation Packages on page 48).
Promote- by-reference
A promote-by-reference action runs a promote-by-reference operation. With the following exceptions, this process is identical to a promote-by-reference operation run in the Node Manager.
l Tripwire Enterprise runs the operation with a reference node specified by the action.
l The target nodes are all systems for which at least one change version was created by the version check.
For more information, see:
l What is the By-Reference Selection Method? (on page 74)
l Creating a Promote Action (on page 481)
Note: This action can 1) add a comment to each current baseline created by the action, and 2) limit the scope of the promotion to specific software-installation packages (see Promotion and Software-Installation Packages on page 48).
Promote specific versions
A promote specific versions action promotes each new change version created by a version check. For more information, seeCreating a Promote Action on page 481.
Note: This action can 1) add a comment to each current baseline created by the action, and 2) limit the scope of the promotion to specific software-installation packages (see Promotion and Software-Installation Packages on page 48).
Promote to Baseline
Created by default when TE is installed, this action automatically promotes each new change version created by a version check. For more information about promotion, see What is Promotion? on page 47.
Note: This action cannot be deleted, and the name and description cannot be changed.
Run report
A run report action runs a specified report. For more information, seeHow Does a Run Report Action Work? on page 179.
Table 36. Types of common actions
Tripwire Enterprise 8.2 User Guide 111 Chapter 3. Terms, Concepts, and Functions
Action
Type Description
Run rule If a version check detects a change in a monitored system, this action runs an additional version check of the system. For more information, seeHow Does a Run Rule Action Work?
on page 117.
Run task A run task action runs a specified task.
For more information, see:
l What are Task Types? (on page 121)
l Creating a Run Task Action (on page 484)
Note: If this action runs a baseline rule task or check rule task, TE baselines or checks the node (or node group) that is assigned to the task.
Set custom value
If a version check creates a change version, this action assigns a value to a specified custom property for one of the following Tripwire Enterprise objects:
l The change version’s node
l The change version’s element
l The change version itself
For more information, seeHow Does a Set Custom Value Action Work? on page 118 Severity
override
As described inWhat are Severity Levels? (on page 107), TE automatically assigns a severity level to each change version. This action replaces the original severity level with a specified value. For example, if the original severity level of a change version is 100, but the severity override action has a severity level of 200, TE assigns a severity of 200 to the change version.
For more information, seeCreating a Severity Override Action on page 485.
SNMP An SNMP action sends an SNMP trap to a trap receiver, such as an Enterprise Management System (EMS). For more information, seeHow Does an SNMP Action Work? on page 118.
Syslog A syslog action sends an event notification to a system log. For more information, see Creating a Syslog Action on page 486.
Tag A tag action applies or unapplies tags to nodes. For more information on tags, seeWorking with Tags and Tag Sets on page 347.
Action
Type Description
Restore A restore action automatically overwrites the content of a changed file with the content of the file’s current baseline. For further details, seeHow Does a Restore Action Work? on page 117.
Note: A restore action cannot be assigned to a COVR.
Run command
A run command action executes one or more commands on a changed network device. For more information, seeCreating a Run Command Action on page 483.
Table 37. Types of network device actions