A report compiles information about Tripwire Enterprise objects and monitored objects on your network.
l For a list of reports that may be created and run in Tripwire Enterprise, seeTable 48 on the next page.
l To create a report, seeCreating a Report on page 578.
Report output is the data compiled by Tripwire Enterprise when a report is run. TE displays report output in tables and graphs. For a description of the output generated by each report type, seeTable 48.
Report criteria are settings that determine which data will be included in the output of a report.
For instance, you could limit report output to data associated with particular nodes or elements.
You can run reports either manually or on a scheduled basis.
l To run a report manually, seeRunning a Report Manually on page 587.
l To run a report on a scheduled basis, you must assign the report to a report task. For more information, seeHow Does a Report Task Work? on page 178.
Tips By default, Tripwire Enterprise displays all report criteria values in the output generated for a report. To limit this content to criteria for which a value(s) has been specified, select the Show only applied report criteria check box on the System Preferences page in the Settings Manager (seeChanging System Preferences on page 265).
In the Root Group of the Report Manager, you can create report groups to organize the reports in your TE implementation. For more information, seeAbout Groups on page 31.
Tripwire Enterprise 8.2 User Guide 165 Chapter 3. Terms, Concepts, and Functions
Report Type Report Output Typically used as ...
Baseline Elements
This report identifies all baseline versions that meet the specified criteria.
... a summary of baselined elements and associated approval IDs.
Change Audit Coverage
This report identifies the properties of rules that meet the specified criteria. As applicable, report output includes each rule’s commands, specifiers, start points, stop points, and/or criteria set(s).
... an administrative report to identify which rules are applied to a specified file server or directory server.
Change Process Compliance
This report identifies change versions that represent authorized and unauthorized changes to specified monitored systems. An authorized change is associated with a valid change request ticket ID.
... a management report showing a historic trend in the effectiveness of change-process controls.
Change Rate This report shows the total number of change versions (additions, removals, and
modifications) created for specified monitored systems over a period of time. Within the selected time period, the report displays the number of change versions at a regular interval (or ‘frequency’); for instance, daily, weekly, or monthly.
... a management report showing trends in detected changes over time.
Change Variance
This report identifies all monitored objects that differ between the monitored systems
specified by the report. Tripwire Enterprise includes a monitored object’s element in report output if both of the following conditions are satisfied:
l The monitored object’s current version is a change version.
l The monitored object does not exist for all specified nodes or the object’s change version differs from the current version of the object for other specified nodes.
As appropriate, you can limit report output to specific nodes, rules, and/or elements.
... a means of identifying unexpected changes made by deployment of a patch or installation package on multiple nodes. To determine which new change versions should be promoted, you may review the report for inconsistencies across the updated systems.
Change Window
This report indicates the number of detected changes for a specified monitored system(s) that have occurred inside and outside a defined change window.
… a report used to demonstrate that changes were made inside an
approved change window, as required by established change-control policies.
Changed Elements
This report identifies elements that have been added, modified, and/or removed. For each element, the report can also identify a variety of associated data, such as approval IDs or specific attributes that changed.
Note: To compile data on attribute values, run a Detailed Changes Report.
... a summary of detected changes for compliance purposes.
Table 48. Types of reports
Report Type Report Output Typically used as ...
Changes by Node or Group
This report calculates the number of change versions created for one or more monitored systems. For each system, the report also calculates the total number of change versions for each type of change (added, removed, or modified).
... a means of identifying network resources that experience an abnormally high rate of change.
Changes by Rule or Group
This report calculates the number of change versions for monitored objects identified by each specified rule or rule group. For each rule or group, the report also calculates the total number of change versions for each type of change (added, removed, or modified).
... a means of identifying network resources that experience an abnormally high rate of change.
Changes by Severity
For a specified monitored system, this report shows the total number of change versions that fall within a specified range of severity levels.
... a high-level report showing unresolved changes within a specified severity range. To identify systems that have deviated from their known-and-trusted state, this report would typically be run at the end of a day.
Compliance History
For each specified time interval, this report calculates the number of passing and failing policy test results created for all specified nodes.
... a management report showing the historic trend of compliance with a policy.
Composite Changes
This report calculates the number of authorized and unauthorized composite changes for each specified node and/or node group within a specified period of time.
A composite change consists of one or more element versions created for a single node in a single time interval specified by the report (such as a day or week).
l If TE assigned the same Approval ID to any of the new element versions, these versions collectively comprise a single authorized composite change. Within a single time interval, a node can have an unlimited number of authorized
composite changes.
l If any of the new versions lack an Approval ID, these versions collectively comprise a single unauthorized
composite change. Within a single time interval, a node can have no more than one unauthorized composite change.
For more information, seeExample: Running a Composite Changes Report on page 172.
Note: An authorized composite change only applies to the same node, Approval ID, and time interval. If TE assigned the same Approval ID to change versions created in the same time interval for multiple nodes in a node group, then TE creates a separate authorized composite change for each node when calculating the totals for the group.
... means to enforce change management policies by tabulating the number and authorization of composite changes.
Tripwire Enterprise 8.2 User Guide 167 Chapter 3. Terms, Concepts, and Functions
Report Type Report Output Typically used as ...
Detailed Changes
This report provides detailed information about current baselines and/or change versions. If the current version of a specified monitored object is a change version, the report output includes the version’s severity level, as well as any changed content or attributes.
... one of the following:
l A template documenting changes made to a staging server prior to deployment on production servers. By using the template with a report-by-match operation, you can ensure that Tripwire Enterprise only approves changes on production servers that are identified by the template.
l Documented evidence of a successful, authorized change.
For verification, the report may be appended to a change ticket.
l Background information to assist investigation of an unexpected change.
Detailed Test Inventory
This report identifies the name, type, remediation text, and other properties
(optional) for each policy test that satisfies the report’s criteria.
… a reference list that documents the properties of specified policy tests.
Detailed Test Results
For each specified node, this report lists all policy results that meet the specified report criteria. For each result, the output indicates which element was tested, as well as the outcome of the test (passed/failed).
... a means of identifying specific settings that are out of compliance with a policy.
Detailed Waivers
This report lists the properties of all waivers that meet the specified report criteria.
… a reference list that documents the properties of specified waivers.
Device Inventory
This report provides the make, model, and version of each monitored system identified by report criteria.
... a reference list of monitored systems.
Element Contents
This report presents the contents of specified element versions.
... an inventory of the contents of monitored objects.
Elements This report lists all elements identified by the specified criteria. Optionally, the report can also identify the software-installation package associated with the monitored object
represented by the element (if any).
… a reference list of all monitored objects for a node or node group.
Frequently Changed Elements
This report ranks the most frequently changed elements that meet the specified criteria. For each element, the report identifies the total number of changes, the time of the most recent change, and the element’s node.
... a means of identifying elements that change on a regular basis as part of normal business processes. With this data, you can adjust your rules to optimize the efficiency of version checks.
Frequently Changed Nodes
This report ranks the most frequently changed monitored systems that meet the specified criteria. The report includes the total number of detected changes for each system, as well as the totals for each type of change (added, removed, or modified).
... a means of identifying monitored systems that experience frequent changes.
Report Type Report Output Typically used as ...
Inventory Changes
For your Tripwire Enterprise implementation, this report calculates the number of nodes that have been added, modified, and deleted over a specified period of time.
... a means of verifying that the removal of nodes from Tripwire Enterprise was authorized.
Last Node Check Status
Within a specified time range, this report lists the date and time of the last version check run on each monitored system identified by report criteria. As appropriate, report output can include:
l The names of all nodes for which the last version check ran successfully.
l The names of all nodes for which the last version check failed.
l The names of all nodes for which a version check wasnot run.
... verification that version checks are running as expected and without failures.
Missing Elements
This report identifies nodes that lack 1) elements with specific names or 2) elements created by a specific rule or rule group.
... an administrative tool to detect configuration drift in monitored systems.
Nodes with Changes
This report identifies all changed monitored systems that meet the specified criteria.
... a high-level report showing the proportion of monitored systems that are not in their baseline state.
Reference Node Variance
This report identifies all elements that differ between one node (the reference node) and another (the compare node). In a single report, the reference node may be compared with one or more compare nodes.
... a means of detecting configuration drift among monitored systems that should be identical.
Remediation Assessment
This report summarizes information generated by automated remediation activities.
Note: This report type is only available if an Automated Remediation license is installed on the TE Console.
... a summary of automated remediation activities that were performed, or
... a “punch list” of manual post-remediation steps to be performed.
Remediation Work Orders Details
This report provides detailed information about remediation work orders and remediation entries that meet the specified criteria.
Note: This report type is only available if an Automated Remediation license is installed on the TE Console.
... a means for users to review detailed information about automated
remediation activities that have been performed, or that need to be performed.
Remediation Work Orders Summary
This report provides a high-level summary of remediation work orders and remediation entries.
Note: This report type is only available if an Automated Remediation license is installed on the TE Console.
... an administrative tool for managers who oversee remediation activities performed by others.
Scoring For each specified TE policy, this report provides the latest policy score calculated for each specified node, as well as the number of waivers employed in the calculation of the score.
… an audit report that shows the policy scores for selected nodes.
Tripwire Enterprise 8.2 User Guide 169 Chapter 3. Terms, Concepts, and Functions
Report Type Report Output Typically used as ...
Scoring History
For all policy scores that satisfy the report’s criteria, this report presents the following data for each period in the specified time range:
l The highest and lowest policy scores for the period.
l The average policy score for the period.
… a management report that may indicate past trends in the policy scores of selected nodes.
System Access Control
This report lists the user permissions
associated with each user role that meets the specified criteria.
... a reference list that provides a complete overview of current user-access authorizations and
permissions.
System Log This report identifies all Tripwire Enterprise log messages that meet the specified criteria.
... a user-defined query of the Tripwire Enterprise system log.
Tasks This report indicates the current status of specified tasks.
... a means of quickly determining the current status of tasks.
Test Result Summary
For each specified Policy Manager object, this report indicates:
l The number of specified nodes that are not in full compliance with the Policy Manager object.
l The number and percentage of specified nodes that are in full compliance with the object.
Note: In previous versions of Tripwire Enterprise, this report was known as a ‘Policy Scorecard Report.’
... a high-level management report that provides a comprehensive view of compliance throughout your
organization.
Test Results By Node
This report presents data about policy test results for all nodes specified by the report criteria. The output of the report contains:
l A summary list of nodes, which includes the total number of policy test results that each node passed and failed.
l A detailed list of nodes, which includes a sub-list of policy tests run on each node.
For each policy test, this list may also indicate the test’s rule(s) and version-attribute conditions.
l A list of nodes that experienced errors when a policy test was run.
… a reference list showing failed policy test results that indicate monitored systems requiring remediation.
Unreconciled Change Aging
This report identifies nodes that have one or more elements with a current change version.
For each node, the report calculates the age of the oldest current change version. In the report’s output, TE chronologically groups the nodes according to this age.
... a means of identifying monitored systems in need of attention.
Report Type Report Output Typically used as ...
Unchanged Elements
For one or more nodes, this report identifies all elements for which Tripwire Enterprise didnot detect a change within the specified time range. Alternatively, this report can identify the rules used to baseline any unchanged elements.
Note: Since the number of unchanged elements may be extremely large, you should narrow report criteria to the greatest extent possible.
... a means of identifying unchanged monitored objects that were expected to change over a specified period.
Unmonitored Nodes
This report identifies:
l Nodes that lack a valid Tripwire Enterprise license (seeWhat are Tripwire Enterprise Licenses? on page 199).
l Nodes that have not been baselined or version checked within a specified period of time.
l Monitored virtual machines on which a Tripwire Enterprise Agent has not been installed and enabled (seeHow are Nodes Created? on page 56).
... an administrative report to ensure that the proper nodes are being monitored.
User Roles For one or more nodes and/or node groups, this report identifies the effective user role for each specified user account. For more information, seeWhat is an Effective User Role? on page 204.
Note: This report is a legacy feature of Tripwire Enterprise. In TE 7.0.1 and later, you should instead create a User Roles All Object Types Report.
… a means to ensure that proper levels of control have been assigned to existing user accounts.
User Roles All Object Types
For one or more TE objects, this report identifies the effective user role for each specified user account. For more information, seeWhat is an Effective User Role? on page 204.
… a means to ensure that proper levels of control have been assigned to existing user accounts.
Tripwire Enterprise 8.2 User Guide 171 Chapter 3. Terms, Concepts, and Functions