How to Set Up and Use Tripwire

All about Tripwire and what it can do for you.
Update Policies

Immediately after any system change, be it due to installation, update or removal of software or configuration files, it is mandatory to update the plain-text policy file and regenerate the binary database. Any successive Tripwire check would be meaningless otherwise. Therefore, run this command whenever it's necessary:

tripwire -update-policy -twrfile

Because it is so critical, this operation requires both your local and site passphrases. When launched in this way, Tripwire detects as violations any changes that happened after the specified integrity check. In such a case, an actual update of the policy, ignoring such violations, is possible only if the user explicitly tells the program to run in low security mode. The corresponding option is -Z low and is explained in detail in the Tripwire man page.

Miscellaneous Tips and Tricks

Reading the twfiles and twintro man pages, which contain short and up-to-date overviews of all the files and programs that compose the Tripwire suite, is highly recommended before starting the installation. The actual Tripwire binary, if called with the -help option, lists all the available options. Like many FOSS programs, all the utilities of this package accept both short and long forms of their command-line options.

For example, tripwire -check also can be written as tripwire -m c. The second form is faster when one already knows Tripwire and has to use it interactively, but the explicit command is recommended in scripts, for documentation or didactical purposes. The -v option puts any Tripwire command in verbose mode. Common wisdom also suggests that both the binary and text versions of the Tripwire system files be stored on a separate computer, write-protected floppy disk or USB drive.

Remember that one of the first things a determined cracker will do is to replace just those files with her own copies, to hide any trace of attack. The periodical reports placed by Tripwire in /var/lib/tripwire are in binary, optionally signed format. Consequently, they can't be read straight from the prompt, and they also can't even be processed directly by a shell script for automatic comparison or other purposes. The solution is to use the twprint command, which comes with its own complete man page, as in this example (note that you must pass the binary configuration file for it to work):

twprint --print-report --cfgfile twcfg.enc --twrfile

The digital signatures of each binary file can be checked directly with the siggen utility, which also has its own man page:

/usr/sbin/siggen /etc/tripwire/twcfg.enc
Signatures for file: /etc/tripwire/twcfg.enc

CRC32               Dmjk1z
MD5                 DTn311w6Wx3+7TXv7SHPjA
SHA                 D5N1Pv4biCnd14igf/anGM3pvVH
HAVAL               BEJmfzpcA/Txq5nf9kgsVb

Credits and a Glimpse of What's Ahead

The Open Source Tripwire Project had been quiescent for some time. Luckily, just a few days before the deadline of this article, version was released on SourceForge, and it is the one you'll likely find packaged for your distribution by the time you read this. Besides the source tarball, it is also possible to download x86 static binaries built on a Gentoo 2005 distribution. There are no remarkable changes in functionality, so everything explained in this article should still apply as is. The other good news is that this is the first release in which the old build system has been replaced by a standard autoconf/configure environment. Unfortunately, due to some gcc 4 compatibility problems on Fedora Core 4, it wasn't possible to test this version in time. However, as soon as this porting is completed, it should be much easier to add new features and package Open Source Tripwire for all modern GNU/Linux distributions. You're welcome to join the effort and report bugs on the developers mailing list (see Resources). Thanks to Paul Herman and Ron Forrester for releasing this new version and the time they spent to answer my questions.

Resources for this article: /article/8950.

Marco Fioretti is a hardware systems engineer interested in free software both as an EDA platform and, as the current leader of the RULE Project, as an efficient desktop. Marco lives with his family in Rome, Italy.


Articles about Digital Rights and more at CV, talks and bio at


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Worked perfect

Anonymous's picture

Article seems old (2006), It worked exactly as it described. Great article. I am using tripwire now without any problem. Thanks a lot Mr. author.


Tripwire Missing tw.cfg

Anonymous's picture

I have followed you instructions but get:

tripwire --check
### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting..

Can you please help

Try running the command as

Anonymous's picture

Try running the command as superuser, such as "sudo tripwire --check".


Tri Trinh's picture

Great Article! :)

tripwire --init --cfgfile twcfg.enc --polfile tw.pol
↪--site-keyfile my_home_key --local-keyfile my_local_key

should be...

tripwire --init --cfgfile twcfg.enc --polfile twpol.enc
↪--site-keyfile my_home_key --local-keyfile my_local_key

tw.pol missing.

Anonymous's picture

Under Database Creation:

You have the commnad argument:
--polfile tw.pol

I got the error:
### Error: File could not be found.
### tw.pol
### Exiting...

I checked the directory it was never created. At what step does it get created in this process?

nice tutorial. my tripwire

Anonymous's picture

nice tutorial. my tripwire rpm also did not have the /etc/tripwire/ script. i used tripwire-2.3.1-21

'tripwire --check ' was not good enough

### Error: File could not be opened.
### Filename: /etc/tripwire/tw.cfg
### No such file or directory
### Configuration file could not be read.
### Exiting...

i needed to explicitly list it as an arg to tripwire

Stuck on the encrypting steps...

Perry Huang's picture

I'm using Tripwire on RHEL 4 and I am having problems at the encryption step. I don't have the twcfg.enc file needed to encrypt the config and policy files. Any ideas?

Read those steps again. You

Anonymous's picture

Read those steps again. You don't have it initially. You create twcfg.enc.

Robert's picture

If you look through the docs it mentions has been replaced by tripwire-setup-keyfiles.

It should also be noted that the prelinker will affect the md5 sums etc when it runs.