How to Install Tripwire IDS (Intrusion Detection System) on Linux

Tripwire is a popular Linux Intrusion Detection System (IDS) that runs on systems in order to detect if unauthorized filesystem changes occurred over time.

In CentOS and RHEL distributions, a tripwire is not a part of official repositories. However, the tripwire package can be installed via Epel repositories.

To begin, first install Epel repositories in CentOS and RHEL system, by issuing the below command.

# yum install epel-release
 

After you’ve installed Epel repositories, make sure you update the system with the following command.

# yum update
 

After the update process finishes, install Tripwire IDS software by executing the below command.

# yum install tripwire
 

Fortunately, Tripwire is a part of Ubuntu and Debian default repositories and can be installed with the following commands.

$ sudo apt update
 $ sudo apt install tripwire
 

On Ubuntu and Debian, the tripwire installation will be asked to choose and confirm a site key and local key passphrase. These keys are used by tripwire to secure its configuration files.

Create Tripwire Site and Local Key

On CentOS and RHEL, you need to create tripwire keys with the below command and supply a passphrase for site key and local key.

# tripwire-setup-keyfiles
 
Create Tripwire Keys

In order to validate your system, you need to initialize the Tripwire database with the following command. Due to the fact that the database hasn’t been initialized yet, a tripwire will display a lot of false-positive warnings.

# tripwire --init
 
Initialize Tripwire Database

Finally, generate a tripwire system report in order to check the configurations by issuing the below command. Use --help switch to list all tripwire check command options.

# tripwire --check --help
 # tripwire --check
 

After tripwire check command completes, review the report by opening the file with the extension .twr from /var/lib/tripwire/report/ directory with your favorite text editor command, but before that you need to convert to text file.

# twprint --print-report --twrfile /var/lib/tripwire/report/tecmint-20170727-235255.twr > report.txt
 # vi report.txt
 
Tripwire System Report

That’s It! you have successfully installed Tripwire on the Linux server. I hope you can now easily configure your Tripwire IDS.

If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

We are thankful for your never ending support.

4 thoughts on “How to Install Tripwire IDS (Intrusion Detection System) on Linux”

  1. I wish to install beryl 3d screen saver. But i unable to install it. Anybody tell me step by step instructions..

    Reply
  2. Nice article sir, some more details for beginners will be more helpful.

    report output looks like this, what should i do? anything wrong.

    ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Other binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Other libraries 66 0 0 0 Root file-system executables 100 0 0 0 * Tripwire Data Files 100 1 0 0 System boot changes 100 0 0 0 Root file-system libraries 100 0 0 0 (/lib) Critical system boot files 100 0 0 0 Other configuration files 66 0 0 0 (/etc) Boot Scripts 100 0 0 0 Security Control 66 0 0 0 Root config files 100 0 0 0 * Devices & Kernel information 100 13442 17733 15 Invariant Directories 66 0 0 0 Total objects scanned: 178950 Total violations found: 31191 
    Reply
  3. Hallo, I’ve quick question : after installing tripwire and generating two keys, want to initialize it and got such message :

    ### Error: Keyfile Read/Write error. ### /etc/tripwire/site.key ### Exiting... 

    Anyone know what it can be exactly, please?

    Would appreciate any help with it.

    Reply

Got something to say? Join the discussion. Cancel reply

Scroll back to top