A rule is a Tripwire Enterprise object that identifies one or more monitored objects. For each type of monitored system, TE provides a unique set of rules:
l Database rules (seeTable 20 below)
l Network device rules (seeTable 21 on the next page)
l Directory rules (seeTable 22 on the next page)
l File server rules (seeTable 23 on page 79)
l Virtual infrastructure rules (seeTable 24 on page 80)
Each of these rule types can only identify objects for the corresponding type of monitored system. For example, file server rules can only be used to identify monitored objects for file servers.
Tripwire Enterprise uses rules to:
l Baseline a monitored system (About Baselines on page 43)
l Version check a monitored system (About Version Checks on page 44)
l Refine the scope of a policy test (seeHow Does a Policy Test Work? on page 128) Tip In the Root Group of the Rule Manager, you can create rule groups to organize the
rules in your TE implementation. For more information, seeAbout Groups on page 31.
Rule Type Definition Database
metadata rules
A metadata rule specifies database configuration parameters and/or database objects.
For further details, seeHow Does a Database Metadata Rule Work? on page 87.
Note: This version of Tripwire Enterprise can monitor Oracle, Microsoft SQL Server, DB2, and Sybase ASE databases.
Database query rules
A query rule defines one or more SQL queries to retrieve content from monitored databases. For more information, seeHow Does a Database Query Rule Work? on page 89.
Table 20. Types of database rules
Tripwire Enterprise 8.2 User Guide 77 Chapter 3. Terms, Concepts, and Functions
Rule Type Definition Command
output validation rules (COVRs)
A COVR runs a command on a network device to generate output. To identify changes, Tripwire Enterprise compares the output with previous output from the system. For more information, seeHow Does a Command Output Validation Rule (COVR) Work? on page 97.
Configuration file rules
A configuration file rule (or configuration rule) specifies configuration files on a specific type of network device produced by a single vendor. For example, a Cisco IOS configuration file rule can only identify configuration files on Cisco IOS routers. For more information, seeCreating a Configuration File Rule on page 433.
File rules A file rule specifies files on a network device to be checked for changes in content.
Unlike configuration file rules, file rules can identify any type of file.
l A custom file rule identifies files on a network device represented by a custom node (seeCreating a Custom Node on page 363).
l A UNIX file rule identifies files on a UNIX system. A UNIX system is any system running a POSIX-compliant, UNIX-based operating system.
For more information, seeCreating a File Rule on page 437.
Note: VMware ESX file rules have been replaced by virtual infrastructure rules. For more information, seeTable 24 on page 80.
Status check rules
A status check rule determines the availability of a network device; in other words, whether or not the Tripwire Enterprise Server can access and communicate with the system. To create a status check rule, seeCreating a Status Check Rule on page 438.
Table 21. Types of network device rules
Rule Type Definition Active
Directory rules
An Active Directory rule specifies entries in an Active Directory.
Note: For more information about directory rules, seeHow Does a Directory Rule Work?
on page 90.
eDirectory rules
An eDirectory rule specifies entries in a Novell eDirectory.
LDAP rules
An LDAP rule specifies entries in any directory that uses LDAP as the directory protocol.
LDAP (Lightweight Directory Access Protocol) is a standard, vendor-independent protocol.
Sun directory rules
A Sun directory rule specifies entries in a Sun directory service (either Sun Java System Directory Server or Sun ONE Directory Server).
Table 22. Types of directory rules
Rule Type Definition
A command output capture rule (COCR) runs a command on a file server to generate output. To identify changes, Tripwire Enterprise compares the output with previous output from the server. For more information, seeHow Does a Command Output Capture Rule (COCR) Work? on page 96.
Log transfer rules
A log transfer rule runs a command on an Agent system to generate output which is then transferred to Tripwire Log Center (TLC). In TLC, the output is then converted into TLC log messages (seeWhat are Log Messages? on page 159). For more information, seeHow Does a Log Transfer Rule Work? on page 95.
Note: Unlike other rules, log transfer rules donot identify monitored objects.
UNIX file system rules
A UNIX file system rule identifies directories and files in the file system of a UNIX operating system. For further details, seeHow Does a File System Rule Work? on page 81.
Windows file system rules
A Windows file system rule identifies directories and files in the file system of a Windows operating system. For further details, seeHow Does a File System Rule Work? on page 81.
Windows registry rules
A Windows registry rule identifies keys and entries in the registry of a Windows operating system. For further details, seeHow Does a Windows Registry Rule Work? on page 83.
Windows RSoP rules
A Windows RSoP rule defines one or more queries to retrieve reports on the Resultant Set of Policy (RSoP) for specified Windows users. For more information, seeHow Does a Windows RSoP Rule Work? on page 86.
Table 23. Types of file server rules
Tripwire Enterprise 8.2 User Guide 79 Chapter 3. Terms, Concepts, and Functions
Rule Type Definition
VI hypervisor rulesA,B This rule type identifies configuration files and parameters for a hypervisor. For example, a VMware ESX rule identifies:
l All VMware ESX configuration files on a VI host machine.
l All configuration parameters specified by the VMware application program interface (API).
For more information, seeCreating a VI Hypervisor Rule on page 439.
Virtual machine configuration rulesB This type of rule identifies the configuration parameters for virtual machines managed by a hypervisor. For example, a VMware VM rule identifies all configuration parameters for a virtual machine managed by a VMware ESX host. For more information, seeCreating a Virtual Machine Configuration Rule on page 439.
Virtual switch configuration rulesB This type of rule identifies the configuration parameters for virtual switches managed by a hypervisor. For example, a VMware vSwitch rule identifies all configuration parameters for a virtual switch managed by a VMware ESX host. For more information, seeCreating a Virtual Switch Configuration Rule on page 440.
Distributed virtual switch rules This type of rule identifies the configuration parameters for distributed virtual switches managed by a hypervisor. For example, a VMware vNetwork Distributed Switch rule identifies all configuration parameters for a virtual switch managed by a vCenter server. For more information, see Creating a Virtual Switch Configuration Rule on page 440.
Command output hypervisor rules (COHRs)
This type of rule runs a command on a hypervisor's host machine to generate output. In Tripwire Enterprise, the output is represented by a single element that adopts a name specified in the properties of the rule. When a COHR results in the creation of an element version, TE saves the output’s content in the version’s properties, along with an MD5 hash of the content. For more information, see Creating a Command Output Hypervisor Rule on page 432.
Note: A COHR can only generate output for host machines that grant remote users access via SSH.
A A VI hypervisor rule (e.g. VMware ESX rule) identifies the following configuration files on an ESX host:
esx.conf penwsman.conf syslog.conf
hostAgentConfig.xml proxy.xml vmware_config
hosts snmp.xml vmware_configrules
license.cfg ssl_cert vmware.lic
motd ssl_key vpxa.cfg
B VMware’s Managed Object Browser (MOB) is a Web-based server application installed on all VMware ESX hosts and vCenter servers. In the MOB, you can review all parameters for ESX hosts, virtual machines, and vSwitches.
Table 24. Types of virtual infrastructure rules