Tripwire Cheat Sheet
Overview
Tripwire is one of the original file integrity monitoring (FIM) tools, designed to detect changes to critical system files by maintaining a cryptographically signed database of file attributes. When run, Tripwire compares current file states against the baseline, reporting any additions, deletions, or modifications to monitored files and directories. It uses site and local key pairs for cryptographic signing of its policy, configuration, and database files, ensuring that the integrity monitoring system itself cannot be tampered with by attackers.
Open Source Tripwire operates in a scan-on-demand model where periodic checks are scheduled via cron. It monitors file properties including permissions, ownership, timestamps, file size, inode number, and cryptographic hashes (MD5, SHA-256, CRC-32, Haval). The tool is commonly deployed in environments requiring PCI DSS Requirement 11.5, HIPAA, SOX, and NIST 800-53 SI-7 compliance where file integrity monitoring is mandatory. Tripwire Enterprise (commercial) adds real-time monitoring, agent management, and integration with change management workflows.
Installation
Ubuntu / Debian
sudo apt update
sudo apt install tripwire
# During installation, you'll be prompted to:
# 1. Create site key passphrase
# 2. Create local key passphrase
# 3. Rebuild policy and configuration filesRed Hat / CentOS
# Install EPEL repository first
sudo dnf install epel-release
sudo dnf install tripwire
# Generate keys manually
sudo tripwire-setup-keyfilesFrom Source
git clone https://github.com/Tripwire/tripwire-open-source.git
cd tripwire-open-source
mkdir build && cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local
make -j$(nproc)
sudo make install
# Generate keys
sudo twadmin --generate-keys --site-keyfile /etc/tripwire/site.key
sudo twadmin --generate-keys --local-keyfile /etc/tripwire/$(hostname)-local.keyCore Commands
| Command | Description |
|---|---|
tripwire --init | Initialize the baseline database |
tripwire --check | Run integrity check against baseline |
tripwire --update | Update database after reviewing changes |
tripwire --test | Test email notification configuration |
twadmin --create-cfgfile | Create signed configuration file |
twadmin --create-polfile | Create signed policy file |
twadmin --print-cfgfile | Display current configuration |
twadmin --print-polfile | Display current policy |
twprint --print-dbfile | Display database contents |
twprint --print-report | Display report in readable format |
# Initialize database (after configuring policy)
sudo tripwire --init
# Run integrity check
sudo tripwire --check
# Check with specific severity level
sudo tripwire --check --severity 66
# Check specific rule
sudo tripwire --check --rule-name "System Binaries"
# Interactive update (review and accept changes)
sudo tripwire --update --twrfile /var/lib/tripwire/report/latest.twr
# Generate report in specific format
sudo tripwire --check --twrfile /var/lib/tripwire/report/$(date +%Y%m%d).twrConfiguration
Tripwire Configuration (twcfg.txt)
# /etc/tripwire/twcfg.txt
ROOT = /usr/sbin
POLFILE = /etc/tripwire/tw.pol
DBFILE = /var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE = /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE = /etc/tripwire/site.key
LOCALKEYFILE = /etc/tripwire/$(HOSTNAME)-local.key
EDITOR = /usr/bin/vi
LATEPROMPTING = false
LOOSEDIRECTORYCHECKING = false
MAILNOVIOLATIONS = true
EMAILREPORTLEVEL = 3
REPORTLEVEL = 3
SYSLOGREPORTING = true
MAILMETHOD = SMTP
SMTPHOST = localhost
SMTPPORT = 25
TEMPDIRECTORY = /tmp# Sign and apply configuration
sudo twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg \
--site-keyfile /etc/tripwire/site.key \
/etc/tripwire/twcfg.txtPolicy File (twpol.txt)
# /etc/tripwire/twpol.txt
# Global variable definitions
@@section GLOBAL
TWROOT=/usr/sbin
TWBIN=/usr/sbin
TWPOL=/etc/tripwire
TWDB=/var/lib/tripwire
TWSKEY=/etc/tripwire
TWLKEY=/etc/tripwire
TWREPORT=/var/lib/tripwire/report
@@section FS
# Attribute shortcuts
SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - all properties
SEC_SUID = $(IgnoreNone)-SHa; # SUID/SGID files
SEC_BIN = $(ReadOnly); # Binaries
SEC_CONFIG = $(Dynamic); # Configuration files
SEC_LOG = $(Growing); # Log files
SEC_INVARIANT = +tpug; # Directories (type, permissions, user, group)
SIG_LOW = 33; # Low severity
SIG_MED = 66; # Medium severity
SIG_HI = 100; # High severity
# Critical system files
(
rulename = "Critical System Files",
severity = $(SIG_HI),
emailto = security@example.com
)
{
/etc/passwd -> $(SEC_CRIT);
/etc/shadow -> $(SEC_CRIT);
/etc/group -> $(SEC_CRIT);
/etc/gshadow -> $(SEC_CRIT);
/etc/sudoers -> $(SEC_CRIT);
/etc/ssh/sshd_config -> $(SEC_CRIT);
}
# System binaries
(
rulename = "System Binaries",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN);
/sbin -> $(SEC_BIN);
/usr/bin -> $(SEC_BIN);
/usr/sbin -> $(SEC_BIN);
/usr/local/bin -> $(SEC_BIN);
}
# Libraries
(
rulename = "System Libraries",
severity = $(SIG_HI)
)
{
/lib -> $(SEC_BIN);
/lib64 -> $(SEC_BIN);
/usr/lib -> $(SEC_BIN);
}
# Configuration files
(
rulename = "Configuration Files",
severity = $(SIG_MED)
)
{
/etc -> $(SEC_CONFIG);
!/etc/mtab;
!/etc/resolv.conf;
!/etc/hosts.deny;
}
# Log files
(
rulename = "Log Files",
severity = $(SIG_LOW)
)
{
/var/log -> $(SEC_LOG);
}
# Boot files
(
rulename = "Boot Files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT);
}
# Kernel modules
(
rulename = "Kernel Modules",
severity = $(SIG_HI)
)
{
/lib/modules -> $(SEC_BIN);
}# Sign and apply policy
sudo twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg \
--site-keyfile /etc/tripwire/site.key \
/etc/tripwire/twpol.txt
# Reinitialize database after policy changes
sudo tripwire --initAdvanced Usage
Automated Reporting
# /usr/local/bin/tripwire-check.sh
#!/bin/bash
REPORT_DIR="/var/lib/tripwire/report"
HOSTNAME=$(hostname)
DATE=$(date +%Y%m%d-%H%M%S)
REPORT="${REPORT_DIR}/${HOSTNAME}-${DATE}.twr"
EMAIL="security@example.com"
# Run check
tripwire --check --twrfile "$REPORT" 2>&1
# Parse and email results
if [ $? -ne 0 ]; then
twprint --print-report --twrfile "$REPORT" | \
mail -s "Tripwire Alert: ${HOSTNAME} - Changes Detected" "$EMAIL"
fi
# Cleanup old reports (keep 90 days)
find "$REPORT_DIR" -name "*.twr" -mtime +90 -delete# Cron job for daily checks
echo "0 3 * * * root /usr/local/bin/tripwire-check.sh" > /etc/cron.d/tripwireKey Management
# Regenerate site key (all systems in environment)
sudo twadmin --generate-keys \
--site-keyfile /etc/tripwire/site.key
# Regenerate local key (this host only)
sudo twadmin --generate-keys \
--local-keyfile /etc/tripwire/$(hostname)-local.key
# Change site passphrase
sudo twadmin --change-passphrases \
--site-keyfile /etc/tripwire/site.key
# Encrypt database
sudo twadmin --encrypt \
--local-keyfile /etc/tripwire/$(hostname)-local.key \
/var/lib/tripwire/$(hostname).twdDatabase Operations
# Print database contents
sudo twprint --print-dbfile \
--dbfile /var/lib/tripwire/$(hostname).twd
# Print specific report
sudo twprint --print-report \
--twrfile /var/lib/tripwire/report/latest.twr
# Update database after planned changes
sudo tripwire --update \
--accept-all \
--twrfile /var/lib/tripwire/report/latest.twr
# Compare two reports
diff <(twprint --print-report --twrfile report1.twr) \
<(twprint --print-report --twrfile report2.twr)Integration with Centralized Logging
# Forward Tripwire syslog to SIEM
# /etc/rsyslog.d/tripwire.conf
:programname, isequal, "tripwire" /var/log/tripwire.log
:programname, isequal, "tripwire" @@siem.example.com:514
# Logrotate configuration
# /etc/logrotate.d/tripwire
/var/log/tripwire.log {
weekly
rotate 52
compress
delaycompress
missingok
notifempty
}Troubleshooting
| Issue | Solution |
|---|---|
Policy file not found | Create signed policy: twadmin --create-polfile /etc/tripwire/twpol.txt |
Database not initialized | Run tripwire --init after policy is configured |
Wrong passphrase | Regenerate keys with twadmin --generate-keys |
| Excessive false positives | Add exclusions with ! prefix in policy file for volatile paths |
File not found in policy | Update policy to match current system layout, then reinitialize |
| Check takes too long | Reduce scope in policy, exclude large data directories |
| Email notifications not working | Test with tripwire --test and verify SMTP settings in twcfg.txt |
| Database corruption | Reinitialize: tripwire --init (baseline is lost) |
| Permission denied | Run all Tripwire commands as root or with sudo |