How to Install Tripwire Intrusion Detection System on Debian

Tripwire is an Host Intrusion Detection System. Like AIDE it monitors the local filesystem and detects unauthorized changes.

Install Tripwire

Install

# apt update
# apt install tripwire

You are asked to create site and local keys. Select No at both prompts; you will generate the keys manually in the next step.

Generate Keys

The policy, database and configuration files are signed with site and local keys.

Generate the local key.

# twadmin --generate-keys -L /etc/tripwire/tripwire-local.key

Generate the site key.

# twadmin --generate-keys -S /etc/tripwire/tripwire-site.key

Configure Tripwire

Edit the configuration file

Open the config /etc/tripwire/twcfg.txt and edit the following lines to include your site and local keys:

SITEKEYFILE   =/etc/tripwire/tripwire-site.key
LOCALKEYFILE  =/etc/tripwire/tripwire-local.key

Sign the config.

# sudo twadmin --create-cfgfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twcfg.txt 

The configuration file is saved to /etc/tripwire/tw.cfg.

Create a Policy File

The default policy is provided with Tripwire and shoukld be adapted to your needs Sign the policy file with the site key.

# sudo twadmin --create-polfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twpol.txt 

The signed policy file is saved to /etc/tripwire/tw.pol.

Initialize Tripwire

When the policy is changed, generate the database.

# sudo tripwire --init

Tripwire prompts you to enter the local key's passphrase.

Run a Tripwire Check

Run a filesystem check.

# sudo tripwire --check -r report.twr 

The filesystem report is saved as report.twr in CWD. Plain text version ouput to terminal.

Update the Tripwire database to include any filesystem changes.

# sudo tripwire --update -a -r report.twr