How to Install Tripwire on CentOS

Share It!

Tripwire is a host-based intrusion detection system (HIDS). It works by collecting details about your computer’s file-system and configuration. This software can keep track of many different file system data points in order to detect changes.


Tripwire compares files and directories against a database of file locations, dates modified, and other data. After creating the baseline database, Tripwire compares the current system to the baseline and mail any modifications, additions, or deletions.

Step 1: Install Remi/EPEL repository

CentOS/RHEL 6, 32 Bit (i686): 
# rpm -Uvh
CentOS/RHEL 6, 64 Bit (x86_64):
# rpm -Uvh
CentOS/RHEL 5, 32 Bit (i386):
# rpm -Uvh
CentOS/RHEL 5, 64 Bit (x86_64):
# rpm -Uvh

Step 2: Install Packages using YUM

After Install EPEL/Remi repository in our server. Use following command to install package:

# yum install bzip2

Step 3: Download tripwire

First we need to download tripwire source code in our system. Use following command to download the tripwire source code:

# wget

Step 4: Install Tripwire using below commands:

After adding the source code of Tripwire in our system, use following command to install the Tripwire in our system:

# bunzip2 tripwire-
# cd tripwire-
# ./configure --prefix=/path/to/install
# make
# make install

Step 5: Initial Tripwire Configuration:

The site key is used to sign Tripwire’s policy and configuration files while the local key is used for signing the database files.
The installation script creates policy and configuration files stored in

/path/to/install/etc as twpol.txt and twcfg.txt.

The policy includes monitoring for a number of files not present on the local system, so it’s important to trim these files out of policy.

The default policy should be installed using the command as root:

# /usr/sbin/twadmin -m P /path/to/install/etc/twpol.txt

Next, generate the initial database using the following command as root:

# /usr/sbin/tripwire -m i

Note: -m switch identifies the mode in which Tripwire is being executed, which is “i” for “initialization” in this case. Later, the “c” mode for “check” will be used.

Step 6: Customizing Tripwire’s Configuration

After the initial database is created, some customization is necessary to prevent a large number of false alarms. These false alarms occur any time there is a difference in the default policy and the local system’s current configuration. To generate a listing of the difference between the local system and the default policy, issue the following command as root:

# /usr/sbin/tripwire -m c | grep twtest.txt

This command will take several minutes to complete. Once twtest.txt file generates , edit the policy file, /etc/tripwire/twpol.txt, and comment out or delete each of the file names listed in twtest.txt.

Step 7: Finalizing the Tripwire Configuration

As, you comment the line listed in twtest.txt, the policy needs to be reinstalled and the database will need to be recreated. As before, these tasks are accomplished by issuing the following commands as root:

# /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
# /usr/sbin/tripwire -m i

Step 8: Scheduling a Nightly Tripwire Analysis

Create the shell script and just placing the command in the crontab because it allows the administrator to perform a filesystem check without needing to remember the exact syntax necessary for doing so.

Create the file “” that has the following contents:

/usr/sbin/tripwire -m c | mail -s "Tripwire Report from HOST" "Email I'd"

Then, schedule the script to execute adding the line:

1 1 * * * /usr/local/bin/ (run script at 1:01 am)

Tripwire will now submit nightly reports to the system administrator on the status of the file system’s integrity.

Hence the database must be updated regularly in order to get reports as accurate as possible. We can easily accomplish this by typing following command:

# tripwire -m u

If you want to see the database in its’ current form, twprint comes to the rescue :

# twprint -m d

Leave a Reply

Your email address will not be published.