Tripwire IDS on RHEL

Tripwire IDS is an Intrusion Detection System. It is used to secure systems and creates a unique imprint of how a system is set up. It continually checks the system against this imprint and if there are any discrepancies between the imprint and the current system it is logged and a report generated. This is a sure-fire way to tell if a system has been changed without your knowledge. In this article I will show you step by step instructions on how to set up and configure Tripwire IDS under a RHEL based system. More information on Tripwire can be found at

Install Tripwire

Install tripwire IDS from the yum repositories.

Add EPEL Repository

The first thing you need to do is add and enable the EPEL repository. Follow the link to install the correct version for your RHEL based OS: EPEL Repository

Install the Tripwire Application

[root@server ~]# yum install tripwire

Backup Original Configuration

Backup original Tripwire configuration files before we make any changes.

[root@server ~]# mkdir ~/tripwire_backup
[root@server ~]# cp /etc/tripwire/twcfg.txt ~/tripwire_backup/twcfg.txt
[root@server ~]# cp /etc/tripwire/twpol.txt ~/tripwire_backup/twpol.txt

Directory Checking

Open the tripwire configuration file “/etc/tripwire/twcfg.txt” and add the change




Create Keys

Create the keys to secure Tripwire.

[root@server ~]# /usr/sbin/tripwire-setup-keyfiles

Initialise DB

Initialise the Tripwire database. (A list of errors will be displayed these will be fixed later on)

[root@server ~]# tripwire --init

You should now see a message saying the database was successfully generated.

Fix Errors

Tripwire checks a number of different settings on the system, so it will check for a setup that may not actually be included on your system and produce an error. This step will remove those errors. Create a folder for the update process and change into that directory.

[root@server ~]# mkdir ~/tripwire_update
[root@server ~]# cd ~/tripwire_update

Collect all the errors and log them to a file.

[root@server ~]# tripwire --check | grep "Filename:" | awk {'print $2'} >> ./tripwire_errors

Copy the policy file

[root@server ~]# cp /etc/tripwire/twpol.txt ~/tripwire_update/twpol.txt

Next we will use a bash script to parse the errors file and fix the issues in the Tripwire policy file. Create this file “~/tripwire_update/” with the following content.



export IFS=$'\n'
for i in $(cat $TWERR);
    if grep $i $TWPOL
        sed -i "s!$i!# $i!g" $TWPOL

Run the script.

[root@server ~]# sh ./

Now copy the updated Tripwire policy file back to the original location.

[root@server ~]# cp ~/tripwire_update/twpol.txt /etc/tripwire/twpol.txt

Update the tripwire database from the tripwire policy we have created.

[root@server ~]# tripwire --update-policy -Z low /etc/tripwire/twpol.txt

Run a tripwire check. This check will generate a Tripwire Report usually located in “/var/lib/tripwire/report/”

[root@server ~]# tripwire --check

Run a check

[root@server ~]# /etc/cron.daily/tripwire-check

Update (Again)

Update again to fix the errors that will be displayed because we have updated the policy file. Change YYYYMMDD & HHMMSS to the date and time that you ran the first check. To find the latest one just run an “ls -la” on “/var/lib/tripwire/report/”

[root@server ~]# tripwire --update --twrfile /var/lib/tripwire/report/server-YYYMMDD-HHMMSS.twr

Email Reports

The next thing to do is change the Tripwire cron job to send an email report out. Open “/etc/cron.daily/tripwire-check” and change the following line from

test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check


test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check | /bin/mail -s "File Integrity Report (Tripwire) - servername" user@domain.tld

Directory Checking (Revert)

Now we need to set Loose Directory Checking back to false. Open “/etc/tripwire/twcfg.txt” and change





We need to test the cronjob to make sure that it will run the job, create the report and email it out to the address specified.

[root@server ~]# /etc/cron.daily/tripwire-check

You now have a working tripwire setup, if any changes are made to your file system you will see them in the report that gets emailed out to you everyday. If you have made changes to the system don’t forget to update, otherwise you will just see loads of errors and wont be able to tell if something is actually wrong.