About Tripwire State Analyzer

Tripwire State Analyzer (TSA) is an enterprise-level security configuration management (SCM) tool used to manage and enforce established baselines.

To do this, TSA uses data collected by Tripwire Enterprise (TE) and compares it to an Allowlist. An Allowlist is a list of items that comply with industry, regulatory, or organizational standards. Each permitted item on an Allowlist is referred to as an Allowed Item. Tripwire State Analyzer uses a different Allowlist for each Allowlist Type (open ports, services, user accounts, etc.) it monitors.

TSA is optimized to work with Allowlists, enabling you to quickly identify and correct unauthorized configuration changes. Many of the other aspects of the process (collecting data and reporting, for example) are managed in Tripwire Enterprise.

Note:	Tripwire State Analyzer replaces and expands upon the Tripwire Whitelist Profiler (WLP) app. The "whitelists" in WLP are referred to as Allowlists in TSA, but they are functionally the same.

How TSA Works with Tripwire Enterprise

When TSA is first installed, you import TSA rules, tasks, and reports into Tripwire Enterprise. TE uses these rules and tasks to run regular version checks and collect data about monitored systems. This data is stored in TE as elements and element versions, and is normally used by TE to track changes to your systems, and to ensure policy compliance.

TSA uses TE data for a slightly different purpose, by comparing Allowlists with element data generated by this TE rule group: Tripwire State Analyzer > Server-side Rules > Query Rules.

During an Allowlist Assessment, Tripwire State Analyzer compares TE element data to a corresponding Allowlist and creates a list of Authorized, Unauthorized, and Unused Items.

Authorized Items match an Allowed Item in an Allowlist.
Unauthorized Items do not match any Allowed Items in an Allowlist.
Unused Items are Allowed Items that were not found during the Assessment.

Note:	Allowlist Assessments are distinct from check tasks in TE. The TE check tasks of the “Query rules” collect the asset raw configuration data into TE elements. TSA Allowlist Assessments read the raw data from the same elements and evaluate the data against TSA Allowlists. This dependency of steps means that Allowlist Assessment results are only as accurate as the TE data that it is performed against.

Note:

Allowlist Assessments are distinct from check tasks in TE. The TE check tasks of the “Query rules” collect the asset raw configuration data into TE elements. TSA Allowlist Assessments read the raw data from the same elements and evaluate the data against TSA Allowlists. This dependency of steps means that Allowlist Assessment results are only as accurate as the TE data that it is performed against.

To start using Tripwire State Analyzer, see Getting Started with State Analyzer.