In this blog post, we’ll look at the how to install and configure Tripwire on Ubuntu 20.04/18.04 Linux system. Tripwire is an open source host-based Intrusion Detection System. Tripwire can check for file integrity, and it will monitor and alert on file/directory change.

A Tripwire check compares the current filesystem state against a known baseline state and alerts on any changes it detects. The baseline and check behavior are controlled by a policy file, which specifies which files or directories to monitor, and which attributes to monitor on them, such as hashes, file permissions, and ownership.

When an expected change occurs, such as upgrading a package, the baseline database can be updated to the new known-good state. The policy can also be updated, for example, to reduce noise or cover a newly installed package.

Install Tripwire on Ubuntu 20.04 / Ubuntu 18.04

Tripwire package for Ubuntu is available from the apt repository. Install it by running:

sudo apt update
sudo apt install tripwire

This installation is an interactive process, it will ask you a couple of questions.

Create Tripwire keys and initialize the database.

Now that the installation has been successful, we need to generate keys and initialize database so that tripwire can start its work.

$ sudo su -
# cd /etc/tripwire/
# ls -1
server-01-local.key
site.key
tw.cfg
tw.pol
twcfg.txt
twpol.txt

We’ll modify twcfg.txt file REPORTLEVEL to which is a maximum.

ROOT          =/usr/sbin
POLFILE       =/etc/tripwire/tw.pol
DBFILE        =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE    =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE   =/etc/tripwire/site.key
LOCALKEYFILE  =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR        =/usr/bin/editor
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL   =4
SYSLOGREPORTING =true
MAILMETHOD    =SMTP
SMTPHOST      =localhost
SMTPPORT      =25
TEMPDIRECTORY =/tmp

Generate a configuration file after the change:

# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase: <Enter-your-passphrase>
Wrote configuration file: /etc/tripwire/tw.cfg

Optimize Tripwire Policy file

Create a twpolmake.pl file with below content:

# vim twpolmake.pl

Add:

#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#     perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;

Create configs:

# perl twpolmake.pl twpol.txt > twpol.txt.new 
# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new 
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

Create Tripwire database:

# tripwire -m i -s -c tw.cfg
Please enter your local passphrase: 
### Warning: File system error.
### Filename: /var/lib/tripwire/server-01.twd
### No such file or directory
### Continuing...

You can print database using the command:

# twprint -m d -d /path/to/database.twd
E.g
# twprint -m d -d /var/lib/tripwire/server-01.twd

Updating a database

The simplest form of update updates the database with all the changes in a report file:

# tripwire --update --accept-all

Test tripwire by executing checking manually:

# tripwire -m c -s -c /etc/tripwire/tw.cfg 
Open Source Tripwire(R) 2.4.3.1 Integrity Check Report

Report generated by:          root
Report created on:            Sat Jun  9 07:32:25 2018
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    server-01
Host IP address:              127.0.1.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/server-01.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg 

===============================================================================
Rule Summary: 
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Other binaries                  66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  Other libraries                 66                0        0        0        
  Root file-system executables    100               0        0        0        
* Tripwire Data Files             100               1        0        0        
  System boot changes             100               0        0        0        
  Root file-system libraries      100               0        0        0        
  (/lib)
  Critical system boot files      100               0        0        0        
  Other configuration files       66                0        0        0        
  (/etc)
  Boot Scripts                    100               0        0        0        
  Security Control                66                0        0        0        
  Root config files               100               0        0        0        
  Devices & Kernel information    100               0        0        0        
  (/dev)
  Invariant Directories           66                0        0        0        

Total objects scanned:  14492
Total violations found:  1

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire/server-01.twd)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/server-01.twd"

===============================================================================
Error Report: 
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

If there are no errors encountered,Tripwire data files are located on  : /var/lib/tripwire/<servername>.twdScan results are saved under /var/lib/tripwire/report/ directory:

# ls /var/lib/tripwire/report/
server-01-20180609-073225.twr

To print this report, use the syntax:

# twprint -m r -t [0-4] -r /path/to/reportfile.twr

The -t argument specifies the level of report verbosity, where 0 is a single line summary of the report contents, and 4 displays all gathered attributes on all changed objects. The report level defaults to 3 if not specified on the command line or via the REPORTLEVEL config file option.Example:

# twprint -m r -t 4 -r /var/lib/tripwire/report/server-01-20180609-073225.twr

Also, note that you can update this report manually:

# tripwire -m u -a -s -c /etc/tripwire/tw.cfg -r /var/lib/tripwire/report/server-01-20180609-073225.twr 
Please enter your local passphrase:

Updating a policy

Policy update mode modifies the current Tripwire policy without losing existing baselines.

# tripwire --update-policy updated-policy.txt

This will do a check with the new policy as part of the update process. If this check detects changes, the default behavior is to display the changes and exit without updating the policy or database. To accept the changes and continue with the policy update, use the -Z low / –secure-mode low command line option.

Testing the email configuration

To test email configuration:

# tripwire --test --email [email protected]

This sends a test email to the specified address, using the email settings specified in the config file. We’ll cover more Tripwire configurations on our next article.

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

LEAVE A REPLY

Please enter your comment!
Please enter your name here