Insights, Techniques, and Enhancements for Tripwire’s State Analyzer

By Sharique

During the recent Tripwire Energy and NERC Compliance Working Group, a session was conducted to showcase some useful insights and methods for optimizing the latest version of Tripwire State Analyzer (TSA) to better suit your organization’s needs. The most recent version, 1.5.2, comes equipped with features that align with contemporary systems and practices, along with enhancements in its integration with Tripwire Enterprise (TE).

Integration with Active Directory and Assessment Results Tripwire State Analyzer efficiently manages Allowlists and then compares the managed Allowlist data with the actual data collected by TE through the element version data. This comparison assesses your systems against expected configurations, aiding in the automated approval of compliant configuration items. The results are relayed back to Tripwire Enterprise, primarily serving as the source for reporting, although generating reports within TSA is also feasible.

For instance, if there’s a need to justify a list of ports on an Allowlist, the Axon agent or Tripwire agent can retrieve that data to compare it with the Allowlists, generating a record of approved and unapproved ports. This simplifies the reporting process, particularly for compliance with NERC CIP 010-R1. TSA effectively manages Allowlists of various components auditors scrutinize based on CIP standards, enabling the production of comprehensive reports outlining the current allowed information on these systems. Additionally, Tripwire provides Allowlist entries for each of its products in the assessment documentation, serving as a foundation for Allowlists, if required for NERC CIP documentation.

Conducting assessments can occur either based on a schedule or whenever TSA receives updated information from TE. The behavior of TSA upon receiving new data is determined by an option that can be configured in the Preferences page. Enabling the option labeled “create assessment results automatically on TE after each query rule run” in the Allowlist basic settings triggers the automatic assessment of new data as it arrives, with the results promptly written back to TE Reports upon completion.

A noteworthy aspect is that automatically running assessments won’t alter the counts in the Allowlist assessments page of TSA since these assessments occur in the background. To view the current results in the TSA console as well, assessments can either be scheduled to run on a predetermined schedule or initiated manually when accessing the Assessment screen.

Tip for Agentless Port Monitoring At times, data from non-agent based devices scanned using NMAP may fail to reach TSA for assessment due to a failed NMAP Document Type Definition (DTD) check, observable in the TE supervisor logs. This could be attributed to an outdated NMAP version causing the DTD check to malfunction. To address this, options include updating to a compatible NMAP version, substituting with a correct NMAP DTD for the installed version, or relocating the DTD check file from the external directory under the TSA supervisor, ensuring accurate reading of NMAP files and expected assessment of network devices.

Efficient Management of Allowlists Ephemeral ports can pose challenges on Allowlists, especially when flagged as violations, leading to multiple entries for the same port on a system over time. Managing ephemeral ports individually on each system can significantly slow down the Tripwire assessment and impact efficiency. Utilizing groupings and defining Allowlists for port ranges rather than individual ports can substantially reduce the number of entries, enhancing TSA’s performance and accuracy.

Another approach involves exporting the Allowlist to a CSV file, sorting it to identify all versions of a particular software in the environment, and consolidating multiple entries into a single package covering the installation of that software. This reduces redundant entries across the enterprise and optimizes TSA’s assessment process.

Other Noteworthy Updates Java 11 Support: TSA 1.5.2 now supports Java 11 for the TE supervisor, facilitating seamless communication between Tripwire Enterprise server and Tripwire State Analyzer appliance. This enables the removal of Java version 8, enhancing system compatibility.

Timeout Value Configuration and other new features: Configuration assessment timeout values are now customizable in the Allowlist preferences, preventing endless assessment processes and providing flexibility in assessment duration. Additionally, TCP dump is accessible via the TSA command line, enabling efficient troubleshooting of communication issues.

Registry Discovery Updates: TSA’s “Windows software” rule has been enhanced to discover more software packages, with updated configuration settings to include all registry keys where the software is installed. This ensures a comprehensive listing of installed software, enhancing the assessment process’s accuracy and reliability.

These updates and techniques offer valuable insights and enhancements to optimize the functionality and performance of Tripwire’s State Analyzer, empowering organizations to bolster their security posture effectively.

Leave a Comment