Allowed Items

An Allowlist is a list of items that comply with industry, regulatory, or organizational standards. See Types of Allowlists for more information. Each permitted item on an Allowlist is referred to as an Allowed Item. Tripwire State Analyzer uses a different Allowlist for each Allowlist Type (open ports, services, user accounts, etc.) it monitors.

On the Allowed Items page, there is a tab for each Allowlist Type that TSA monitors. You can configure TSA to show or hide these tabs from the Display Types tab of Allowlist Settings.

  • Each row represents a different Allowed Item.
  • Items with a NEW label were created recently. The time to display the label can be configured on the Allowlist Settings Preferences tab. The default time is 24 hours.
  • Click on an Item to see more details about it.
  • Use the icons above the table to import or export Allowed Items from an external file, show and hide columns, or filter the Items displayed.

You can also see the history of changes for each Allowed Item, compare versions over time, and restore a previous version.

Working with Allowed Items

From the Allowed Items page, you can create a new Allowed Item or modify an existing one.

  1. Navigate to State Analyzer > Allowed Items and select the tab for the Allowlist Item you want to add.
  2. Click the NEW <ITEM TYPE> button.
  3. In the New Item pane, configure Attributes, which describe the basic configuration of the Item.
    • To use a regular expression, enter it in the appropriate field and select Regular Expression.
    • Select Is Enabled to enable processing of this Item during an Allowlist assessment.
    • Select Show Content in TE? to display this element's content in TE.
  4. Configure the Scope, which specifies the monitored systems that should be evaluated against this Item during an Allowlist Assessment: 
    • Select All Assets to evaluate this Item against all assets associated with this TSA Data Source.
    • To evaluate only a subset of assets, enter or select criteria used to identify assets (Tags, IP Addresses, Assets, etc.).
  5. Enter values for any User-Defined Attributes. User Defined Attributes for an Allowlist can be created on the corresponding Attributes tab on the Allowlist Settings page.
  6. Click Save.

Note:  

Each Allowed Item in TSA must be unique. Specifically, each new Allowed Item created must have at least one value in the Attributes or Scope sections that is different from an existing Allowed Item. User-Defined Attributes are not considered when comparing a new Allowed Item to existing Items.
  1. Navigate to State Analyzer > Allowed Items and select the tab for the Allowlist with the Item you want to modify.
  2. Select one or more Allowed Items and click one of these buttons:
    • Edit: You can only edit one Item at a time.
    • Duplicate: You can only duplicate one Item at a time. You must make a change to the duplicate Item before you can save it.
    • Add Version: Append the Recommended Versions to the list of Allowed Versions.
    • Update Version: Replace the Allowed Versions with the Recommended Versions.
    • Delete: Remove the Item(s) from the Allowlist.
    • Enable/Disable: Enable or disable the processing of the Item(s) during an Allowlist Assessment.
    • Show/Hide: Show or hide the Item(s) in element content in TE.

    After modifying Allowed Items in an Allowlist, you must re-run any Assessments that use that Allowlist to see the changes reflected.

Managing Software Allowed Items from a Patching Solution

If you have integrated TSA and a patching solution (see Integrating TSA with a Patching Solution in the Tripwire State Analyzer Administration Guide) you can manage the allowed and recommended versions of Software Allowed Items from the Software tab.

To do this, you first create new Allowed Items based on software detected by the patching solution. Then you can manage the allowed and recommended versions of those Allowed Items to make sure that only approved versions are allowed.

  1. Navigate to State Analyzer > Allowed Items and select the Software tab.

  2. Click View Identified Patches to see software that the patching solution has identified.

    Each row on the View Identified Patches page represents a different piece of software, with information about recommended patch versions for each. Click anywhere on a row for more information.

  3. To create a new Allowed Item for a piece of software, select it and click Make Allowed. The software will be added as a new Allowed Item on the Software tab.

    Note:  

    If an Allowed Item already exists for that software, the Make Allowed button will be unavailable.

    To remove a piece of software from the list, select it and click Delete.

  4. When you are finished, click Back to Software Allowed Items.

  1. Navigate to State Analyzer > Allowed Items and select the Software tab.

  2. Select the software Allowed Item with patch information you want to manage.

  3. Click Add Version to append the Recommended Versions to the list of Allowed Versions.

    Click Update Version to replace the Allowed Versions with the Recommended Versions.

TSA will use the updated Allowed Version values for this software during the next Allowlist Assessment.

Tracking Changes in Allowed Items

Tripwire State Analyzer tracks changes to an Allowed Item by creating a new version each time the Item is changed. Allowed Items can change when they are directly edited in TSA, or when they are exported to a CSV file, edited externally, and then re-imported.

On the Allowed Items page, you can view all of the historical versions of an Allowed Item, compare two versions of the same Item, or restore an Allowed Item to the state of a previous version.

Note:  

Allowed Item versions in TSA are different from element versions in Tripwire Enterprise. Restoring or modifying Allowed Item versions in TSA has no effect on the element version data stored in TE.
  1. Navigate to State Analyzer > Allowed Items and select the tab for the Allowlist with the Item you want to compare.
  2. Select a single Allowed Item and click History.

    The History dialog displays each version of the Allowed Item on a single row, along with the user who changed it, and a Change Reason if this setting is configured in Allowlist Settings.

  3. In the History dialog, select two versions you want to compare and click Compare.
  4. In the difference dialog, use the Next and Previous buttons to scroll through the differences.
  1. Navigate to State Analyzer > Allowed Items and select the tab for the Allowlist with the Item you want to restore.
  2. Select a single Allowed Item and click History.

    The History dialog displays each version of the Allowed Item on a single row, along with the user who changed it, and a Change Reason if this setting is configured in Allowlist Settings.

  3. In the History dialog, select a previous version and select Restore.
  4. In the confirmation dialog, enter a Change Reason (if configured) and select Yes.

Importing or Exporting Allowed Items

You can export Allowed Items to CSV, PDF, or JSON files. You can also import CSV files, supporting a workflow where you export Allowed Items to a CSV file, make edits externally, and then import them back into TSA.

Tip:  

From any Allowed Items tab, you can only import or export Items for that Allowlist Type (although multiple files can be imported at once).

From the Display Types tab of the Allowlist Settings page, you can import or export Allowlist Items for multiple Allowlist Types at once.

  1. Navigate to State Analyzer > Allowed Items and select the tab for the type of Allowlist Item you want to import.
  2. Click the Import icon above the table.
  3. In the Import dialog, click ADD FILE and select a CSV file to import.

    Note:  

    The maximum size for each imported CSV file is 10MB, with a limit of 2048 characters per field.

  4. Repeat the previous step to add more files if necessary.
  5. Click IMPORT to import the files.
  1. Navigate to State Analyzer > Allowed Items and select the tab for the type of Allowlist Item you want to export.
  2. Apply any desired filters to the Allowed Items. Only visible Items will be exported.
  3. Click the Export icon above the table and select a format for the export file.

    Only CSV files can be imported back into State Analyzer.

  4. If prompted, specify the filename and click Save.

See the Allowed Items CSV File Reference for information about editing Allowlist CSV files.

Types of Allowlists

Allowlist Type

Description

Group Memberships

A group membership is a pairing between a user group and a member of the group (i.e., a sub-group or a user account).

Open Ports

An open port is a listening TCP or an open UDP port on a monitored system. Each open port consists of a communication protocol, port number, and the associated process (for example, SSH).

Agent-based allowlisting queries the monitored system for port records, whereas Agentless allowlisting uses port information collected from an external scan.

If your TSA environment employs Agent-based allowlisting on a Windows monitored system and the process name is svchost.exe, TSA will also capture the associated service name(s).

For Agentless allowlisting, the process name shown in TSA is determined by the choice of tool that performs the scan. For example, Nmap uses the nmap-services file to map a port number and protocol to a process name.

Routes

A route is a network-accessible path from a monitored system to a host or network. Each route consists of a host or network, the netmask (or subnet mask) of the host or network, and the gateway through which the monitored system accesses the host or network.

On monitored systems running a Windows operating system, TSA captures IPv4 non-default persistent routes.

On monitored systems running a RHEL (Red Hat Enterprise Linux) operating system, TSA captures IPv4 active, non-default routes that use a gateway (not directly connected).

Services

A service is a software application that runs as a background process on a monitored system.

On monitored systems running a Windows operating system, TSA queries all services that do not have a status of ‘Disabled.’

On monitored systems running a Unix-compatible operating system, TSA queries any running service.

On monitored systems running a supported Linux platform, TSA queries the running SysVinit, Upstart, xinetd, and systemd services (if available).

Shares

A share is a permission(s) applied to a user account or user group that grants access to a shared directory.

Software

A software item is an application, patch, or utility on a monitored system. However, it is possible to also include scripts, firmware, portable applications, and other software that does not register with the operating system using the custom software feature.

Users

A user is a user account with access to a monitored system. Each user consists of a username, the age of the password (in days), enabled/disabled status, and an optional last-login timestamp.