Install and Configure Tripwire

Tripwire is a program that monitors file integrity by maintaining a database of cryptographic signatures for programs and configuration files installed on the system, and reports changes in any of these files.

A database of checksums and other characteristics for the files listed in the configuration file is created. Each subsequent run compares any differences to the reference database, and the administrator is notified.

The greatest level of assurance that can be provided occurs if Tripwire is run immediately after Linux has been installed and security updates applied, and before it is connected to a network.

A text configuration file, called a policy file, is used to define the characteristics for each file that are tracked. Your level of paranoia determines the frequency in which the integrity of the files are checked. Administration requires constant attention to the system changes, and can be time-consuming if used for many systems. Available in unsupported commercial binary for Red Hat and similar.

  # Create policy file from text file
  /usr/TSS/bin/twadmin -m P policy.txt
  
  # Initialize database according to policy file
  /usr/TSS/bin/tripwire —init
  
  # Print database
  /usr/TSS/bin/twprint -m d
  
  # Generate daily report file
  /usr/TSS/bin/tripwire -m c -t 1 -M
  
  # Update database according to policy file and report file
  /usr/TSS/bin/tripwire --update --polfile policy/tw.pol \
      --twrfile report/<hostname>-<date>.twr