Getting Started with Tripwire Change Analyzer

Tripwire Change Analyzer (TCA) is a cloud-based service that integrates with Tripwire Enterprise (TE) to reconcile file changes. It compares file changes detected by TE against "known good" file manifest and digest information (SHA-1 , SHA-256, and SHA-512) from Red Hat Enterprise Linux RPM packages or Windows Updates.

When integrated with Tripwire Enterprise (TE), Tripwire Change Analyzer:

  • collects the latest changed element version data for file changes from Tripwire Enterprise
  • compares this data against "known good" file manifest and digest information
  • automatically promotes element versions in TE that match "known good" files

In short, TCA helps to reduce noise from changes and allow TE administrators to focus on those changes that are most likely to be unauthorized or malicious.

Note:  

Tripwire Change Analyzer is the successor to Tripwire's Dynamic Software Reconciliation (DSR) app.

Quick Start Video

This video provides a simplified overview of the procedure below.

Requirements

To use Tripwire Change Analyzer with Tripwire Enterprise, you need the following:

  • A working TE Console installation with TE Console version 8.8.7 or later.
  • Administrative access to the TE Console and the system where it's installed.
  • TE nodes with these supported operating systems.
  • Access to the Tripwire Customer Center (https://tripwireinc.force.com/customers/home) to download the rules used by TCA.
  • An active subscription to TCA and access to Tripwire.io. You should have received your account username in a welcome email.
  • A Tripwire.io user account with the AssetUser, SupervisorAdmin, and TCAUser Roles. For more information, see User Role Descriptions.

Step 1. Create a TE Service Account for TCA

TCA requires a user account with the Administrator role on each TE Console. We recommend that you create a dedicated service account for TCA.

Note:  

If you already have a service account with the Administrator role on your TE Console, you can also use that account with TCA and skip to the next step.

To create a TE user account with the Administrator role:

  1. Log in to the TE Console with Administrator privileges.
  2. In the Manager bar, click SETTINGS.
  3. Under the Administration folder, click Users.
  4. Click New User.
  5. Enter a Username (for example "TCA Service Account") and click Next.
  6. Enter and confirm a Password for the user and click Next.
  7. Select the Administrator user role and click Finish.

Step 2. Integrate TCA with a TE Console

To integrate TCA with a TE Console, you install TE Supervisor software on the TE Console system. The Supervisor software manages communication between TE and TCA.

You can download the Supervisor software you need from Tripwire.io, Tripwire's SaaS platform. After downloading the software, all other configuration takes place in the TE Console.

Notes:  

If a TE Console is integrated with Tripwire State Analyzer (TSA), the TE Supervisor software is already installed on the Console system. Skip to Step 3. Download and Import CCA Rules to continue the configuration process.

You can use TCA with multiple TE Consoles, but you must download and install different Supervisor files for each Console system.

To download Supervisor software and install it on a TE Console system:

  1. Log in to https://tripwire.io using the credentials you received in your registration email.
  2. In the left navigation bar, navigate to Settings > Data Sources.
  3. Click NEW DATA SOURCE and complete the form:
    • Host Name is the fully-qualified domain name or IP address of the TE Console.
    • Friendly Name is an optional name used to identify this Data Source in Tripwire.io.
    • For Product, select Tripwire Change Analyzer.
    • For Platform, select the OS of your TE Console system.
    • The Tripwire Enterprise API Port will be 443 unless you have changed it.
  4. Click GENERATE & CLOSE to create a Supervisor zip file that is customized for the TE Console. The ZIP file will contain a README with installation instructions.

  5. Follow the instructions in the README file to install the software on the TE Console system.

    After the Supervisor is installed, the TE Console will connect with Tripwire.io automatically.

  6. In Tripwire.io, navigate back to Settings > Data Sources, then review the new Data Source Connection Request and click Accept.

    Note:  

    Use the TE Console credentials for the TCA service account to accept the request.

  7. Navigate to Environment > Assets and check that the nodes being monitored by this TE Console appear in the list. This confirms that the Console is successfully integrated with Tripwire.io.

    Note:  

    It may take several minutes for the new nodes to appear on the Assets page.

Step 3. Download and Import CCA Rules

TCA integrates with TE using a specific set of pre-configured rules known as Critical Change Audit (CCA) rules. In this step, you will download these rules from the Tripwire Customer Center (TCC) and import them into your TE Console.

Notes:  

If you are already using Tripwire's Critical Change Audit rules in TE, you can skip to Step 4. Run a Version Check with the CCA Rules.

You can modify the pre-configured CCA rules as long as you:

  • ensure that SHA-1, SHA-256, and/or SHA-512 attributes are added to any criteria set.
  • do not modify any rule Tracking Identifiers.

Duplicate pre-configured CCA rules will not work with TCA.

To download Critical Change Audit rules from the TCC:

  1. Navigate to the Tripwire Customer Center (https://tripwireinc.force.com/customers) and log in.
  2. In the top navigation bar, select Products > Product Downloads.
  3. In the Tripwire Enterprise section, click Download Content.

  4. Using the search bar at the top of the Content page, search for "Critical Change Audit" to find the CCA rules.

    Note:  

    You should download the most specific version of the CCA rules that are available for your operating system(s). For example, to monitor Windows Server 2016, download Critical Change Audit Rules - MS Windows 2016, not Critical Change Audit Rules - MS Windows. If an OS-specific version of the CCA rules are not available, you can use the generic version of the CCA rules for that platform.

  5. For each operating system you want to monitor with TCA:

    1. Click the appropriate link to download the CCA rules.
    2. Save the zip file to a location that is accessible from the TE Console system.
    3. Extract the zip file.
  6. Once you've downloaded all of the CCA rule sets, log out of the TCC.

To import CCA rules into a TE Console:

  1. Log in to the TE Console from the TE Console system.
  2. In the Manager bar, click RULES.
  3. In the tree pane, select the Root Rule Group.
  4. For each set of rules to be imported:
    1. Click Import.
    2. In the Import Rules dialog, click Browse.
    3. Select an XML file you extracted in the previous step.
    4. Click OK.
  5. Review the README that came in the zip file with the CCA rules. Some additional configuration may be necessary to use the rules.

Step 4. Run a Version Check with the CCA Rules

After downloading and importing the Critical Change Audit rules, you need to use them in a TE version check to generate the element data that TCA will use for analysis. To do this, you can either create a recurring check rule task or manually launch a version check using the rules.

Notes:  

Since CCA rules are specific to each platform and version, you will need to create and run a different check rule task (or manually run a version check) for each platform/version combination.

Within each CCA rule group, TCA only supports the rules in the File System sub-group. Make sure to select this group when creating tasks or running manual version checks.

To create and run a check rule task using the CCA rules:

  1. In the Manager bar, click TASKS.
  2. In the tree pane, click the task group in which the new task will be created.
  3. Click Manage > New Task.
  4. In the New Task dialog, select Check Rule Task and click OK.
  5. Complete the wizard, making sure to select nodes and CCA rules that have the same OS.
  6. After each task is created, run it manually to verify that it's working:
    1. Select the task.
    2. Click Control > Run.

To run the CCA rules manually:

  1. In the Manager bar, click NODES.
  2. In the tree pane, click the node group with the nodes to be checked.
  3. In the main pane, select the check box for each node or node group to be checked.
  4. Click Control > Check and select Selected nodes with rule or rule group.
  5. Choose the appropriate set of CCA rules for the selected nodes.
  6. Click OK.

Step 5. Verify that Element Versions are Promoted

Each time TE uses the Critical Change Audit rules in a version check, the resulting element versions are automatically sent to TCA for analysis.

  • If TCA successfully identifies an element version as a "known good" file, TE will automatically promote that version to the baseline. Changes that are generated from file or package removal are also promoted.
  • If TCA cannot verify that an element version is "known good", there is no further action in TE.

To identify element versions that were promoted by TCA:

  1. In the Manager bar, click the VERSION SEARCH tab.
  2. In the Promotion approval identity field on the left side, enter "Tripwire Change Analyzer".
  3. Click Search.