How to Install Tripwire IDS (Intrusion Detection System) on Linux

Tripwire is a popular Linux Intrusion Detection System (IDS) that runs on systems in order to detect if unauthorized filesystem changes occurred over time.

In CentOS and RHEL distributions, a tripwire is not a part of official repositories. However, the tripwire package can be installed via Epel repositories.

To begin, first install Epel repositories in CentOS and RHEL system, by issuing the below command.

# yum install epel-release

After you’ve installed Epel repositories, make sure you update the system with the following command.

# yum update

After the update process finishes, install Tripwire IDS software by executing the below command.

# yum install tripwire

Fortunately, Tripwire is a part of Ubuntu and Debian default repositories and can be installed with the following commands.

$ sudo apt update
$ sudo apt install tripwire

On Ubuntu and Debian, the tripwire installation will be asked to choose and confirm a site key and local key passphrase. These keys are used by tripwire to secure its configuration files.

Create Tripwire Site and Local Key
Create Tripwire Site and Local Key

On CentOS and RHEL, you need to create tripwire keys with the below command and supply a passphrase for site key and local key.

# tripwire-setup-keyfiles
Create Tripwire Keys
Create Tripwire Keys

In order to validate your system, you need to initialize the Tripwire database with the following command. Due to the fact that the database hasn’t been initialized yet, a tripwire will display a lot of false-positive warnings.

# tripwire --init
Initialize Tripwire Database
Initialize Tripwire Database

Finally, generate a tripwire system report in order to check the configurations by issuing the below command. Use --help switch to list all tripwire check command options.

# tripwire --check --help
# tripwire --check

After tripwire check command completes, review the report by opening the file with the extension .twr from /var/lib/tripwire/report/ directory with your favorite text editor command, but before that you need to convert to text file.

# twprint --print-report --twrfile /var/lib/tripwire/report/tecmint-20170727-235255.twr > report.txt
# vi report.txt
Tripwire System Report
Tripwire System Report

That’s It! you have successfully installed Tripwire on the Linux server. I hope you can now easily configure your Tripwire IDS.

Tutorial Feedback...
Was this article helpful? If you don't find this article helpful or found some outdated info, issue or a typo, do post your valuable feedback or suggestions in the comments to help improve this article...

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

4 thoughts on “How to Install Tripwire IDS (Intrusion Detection System) on Linux”

  1. Nice article sir, some more details for beginners will be more helpful.

    report output looks like this, what should i do? anything wrong.

      Section: Unix File System
      Rule Name                       Severity Level    Added    Removed  Modified
      ---------                       --------------    -----    -------  --------
      Other binaries                  66                0        0        0
      Tripwire Binaries               100               0        0        0
      Other libraries                 66                0        0        0
      Root file-system executables    100               0        0        0
    * Tripwire Data Files             100               1        0        0
      System boot changes             100               0        0        0
      Root file-system libraries      100               0        0        0
      Critical system boot files      100               0        0        0
      Other configuration files       66                0        0        0
      Boot Scripts                    100               0        0        0
      Security Control                66                0        0        0
      Root config files               100               0        0        0
    * Devices & Kernel information    100               13442    17733    15
      Invariant Directories           66                0        0        0
    Total objects scanned:  178950
    Total violations found:  31191
  2. Hallo, I’ve quick question : after installing tripwire and generating two keys, want to initialize it and got such message :

    ### Error: Keyfile Read/Write error.
    ### /etc/tripwire/site.key
    ### Exiting...

    Anyone know what it can be exactly, please?

    Would appreciate any help with it.


Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.