Tripwire is a system integrity checking application. It creates a database of files and their properties (including checksums) which can be used as a reference to see if any properties have changed at a later date. The idea being, you can see if anyone has been tampering with your system. Tripwire is available as Open Source for Linux but for commercial Unixes, you have to pay. See for details.

Installing tripwire for Linux

 1. Download the RPM and install it using rpm -ivh package-name
 2. Run /etc/tripwire/ This creates a site and local phrase and
    creates a configuration file
 3. Create a policy file using the default settings provided with the
    installation (this will be customised later). twadmin --create-polfile /
 4. Intialise tripwire tripwire --init
 5. Run tripwire in check mode tripwire --check
 6. A report will be produced with various errors. Because the default policy
    file was used they'll be various file that don't exist on your server and
    some that exist on your server but weren't checked. Use this information
    to edit and correct /etc/tripwire/twpol.txt
 7. Recreate the policy file using the updated file twadmin --create-polfile
 8. Reinitialise the database tripwire --init

Tripwire is now ready to use. Simply run tripwire –check on a regular basis and check the resulting report. If you want to update the database from the report produced (i.e. any files reported as updated are OK) run tripwire – update -r /var/lib/tripwire/report/latest-file.twr

Recent Changes

Contribute to this wiki

Why not help others by sharing your knowledge? Contribute something to this wiki and join out hall of fame!
Contact us for a user name and password