NOTE: THE OPEN-SOURCE VERSION OF TRIPWIRE IS NO LONGER BEING ACTIVELY DEVELOPED, although it still works. Consider using OSSEC instead.
Tripwire is a host-based intrusion detection system.
It’s available as a Debian package and in FreeBSD ports.
Ideally, we install tripwire immediately after a new system install, when we’re pretty sure the box hasn’t been haxord yet.
Tripwire gets run by cron.daily.
The installer asks us to create a site key and a local key. Save these.
Post-install, create the database of file signatures:
# tripwire --init
Tripwire has two important config files, both with (at least on Debian) sane defaults:
- /etc/tripwire/twpol.txt
- /etc/tripwire/twcfg.txt
We can manually run a tripwire check with:
# tripwire --check
Files that are not found (and may never have existed on this platform) and files that have changed are listed. We may want to exclude false positives in twpol.txt to cut down on admin alert noise.
After changes to twpol.txt, we must recreate the encrypted policy file and reinitialize the database:
# twadmin -m P /etc/tripwire/twpol.txt
# tripwire --init
Once complete, tripwire --check
should run clean, and not complain about any modified or missing files.
After making system changes, such as installing updates or new packages, run:
# tripwire --check --interactive