How to Install Tripwire IDS (Intrusion Detection System) on Linux

Tripwire is a popular Linux Intrusion Detection System (IDS) that runs on systems in order to detect if unauthorized filesystem changes occurred over time.

In CentOS and RHEL distributions, a tripwire is not a part of official repositories. However, the tripwire package can be installed via Epel repositories.

To begin, first install Epel repositories in CentOS and RHEL system, by issuing the below command.

# yum install epel-release

After you’ve installed Epel repositories, make sure you update the system with the following command.

# yum update

After the update process finishes, install Tripwire IDS software by executing the below command.

# yum install tripwire

Fortunately, Tripwire is a part of Ubuntu and Debian default repositories and can be installed with the following commands.

$ sudo apt update
$ sudo apt install tripwire

On Ubuntu and Debian, the tripwire installation will be asked to choose and confirm a site key and local key passphrase. These keys are used by tripwire to secure its configuration files.

Create Tripwire Site and Local Key
Create Tripwire Site and Local Key

On CentOS and RHEL, you need to create tripwire keys with the below command and supply a passphrase for site key and local key.

# tripwire-setup-keyfiles
Create Tripwire Keys
Create Tripwire Keys

In order to validate your system, you need to initialize the Tripwire database with the following command. Due to the fact that the database hasn’t been initialized yet, a tripwire will display a lot of false-positive warnings.

# tripwire --init
Initialize Tripwire Database
Initialize Tripwire Database

Finally, generate a tripwire system report in order to check the configurations by issuing the below command. Use --help switch to list all tripwire check command options.

# tripwire --check --help
# tripwire --check

After tripwire check command completes, review the report by opening the file with the extension .twr from /var/lib/tripwire/report/ directory with your favorite text editor command, but before that you need to convert to text file.

# twprint --print-report --twrfile /var/lib/tripwire/report/tecmint-20170727-235255.twr > report.txt
# vi report.txt
Tripwire System Report
Tripwire System Report

That’s It! you have successfully installed Tripwire on the Linux server. I hope you can now easily configure your Tripwire IDS.

If you read this far, tweet to the author to show them you care. Tweet a thanks
Matei Cezar
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

4 thoughts on “How to Install Tripwire IDS (Intrusion Detection System) on Linux”

  1. Nice article sir, some more details for beginners will be more helpful.

    report output looks like this, what should i do? anything wrong.

    -------------------------------------------------------------------------------
      Section: Unix File System
    -------------------------------------------------------------------------------
    
      Rule Name                       Severity Level    Added    Removed  Modified
      ---------                       --------------    -----    -------  --------
      Other binaries                  66                0        0        0
      Tripwire Binaries               100               0        0        0
      Other libraries                 66                0        0        0
      Root file-system executables    100               0        0        0
    * Tripwire Data Files             100               1        0        0
      System boot changes             100               0        0        0
      Root file-system libraries      100               0        0        0
      (/lib)
      Critical system boot files      100               0        0        0
      Other configuration files       66                0        0        0
      (/etc)
      Boot Scripts                    100               0        0        0
      Security Control                66                0        0        0
      Root config files               100               0        0        0
    * Devices & Kernel information    100               13442    17733    15
      Invariant Directories           66                0        0        0
    
    Total objects scanned:  178950
    Total violations found:  31191
    
    Reply
  2. Hallo, I’ve quick question : after installing tripwire and generating two keys, want to initialize it and got such message :

    ### Error: Keyfile Read/Write error.
    ### /etc/tripwire/site.key
    ### Exiting...
    

    Anyone know what it can be exactly, please?

    Would appreciate any help with it.

    Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.