File Integrity Monitoring (FIM) detects unauthorised modifications to critical system files — a key indicator of compromise that antivirus and network monitoring tools often miss. Tripwire is a battle-tested open-source FIM tool that creates a cryptographic hash database of your filesystem and alerts you when files are added, modified, or deleted. On RHEL 9, Tripwire is available from the EPEL repository and integrates well with systemd for automated nightly checks. This tutorial covers installation, key generation, policy configuration, database initialisation, running integrity checks, and scheduling automated monitoring.
Prerequisites
- RHEL 9 server with root or sudo access
- EPEL repository enabled (
dnf install -y epel-release) - A freshly hardened system is ideal — initialise the database before deploying to production
- Basic familiarity with the Linux filesystem hierarchy
Step 1 — Install Tripwire from EPEL
Enable the EPEL repository if not already enabled, then install Tripwire. The installation includes the Tripwire binary, default policy file, and configuration file.
dnf install -y epel-release
dnf install -y tripwireVerify the installation:
tripwire --versionStep 2 — Generate Site and Local Keys
Tripwire uses two passphrases to protect its configuration and database files: the site key (protects policy and configuration files) and the local key (protects the database and reports). Run the setup script which prompts for both passphrases interactively. Store these passphrases securely — without them you cannot update the policy or database.
tripwire-setup-keyfilesThis creates the key files at:
ls -la /etc/tripwire/
# site.key — encrypts policy and tripwire.cfg
# hostname-local.key — encrypts database and reportsThen generate the signed configuration and policy binary files:
twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txtStep 3 — Edit the Policy File to Define Monitored Rules
The policy file /etc/tripwire/twpol.txt defines which directories and files to monitor and what attributes to check (permissions, owner, size, content hash, etc.). Open the file and review the default rules. At minimum, ensure the following critical directories are covered with high-severity property masks. The property mask $(SEC_CRIT) checks all attributes including content hash.
# /etc/tripwire/twpol.txt — key sections to review and customise
# Critical system binaries — should never change
(
rulename = "OS Executables and Libraries",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_CRIT) ;
/sbin -> $(SEC_CRIT) ;
/usr/bin -> $(SEC_CRIT) ;
/usr/sbin -> $(SEC_CRIT) ;
/lib64 -> $(SEC_CRIT) ;
}
# Configuration files — monitor for unauthorised changes
(
rulename = "System Configuration Files",
severity = $(SIG_HI)
)
{
/etc -> $(SEC_CONFIG) ;
}
# Boot files
(
rulename = "Boot Files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
}After editing, regenerate the signed policy binary:
twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txtStep 4 — Initialise the Tripwire Database
The --init command scans your filesystem according to the policy rules and stores cryptographic hashes of every monitored file in the database. This establishes the trusted baseline. Run this command on a known-good, freshly configured system. You will be prompted for the local key passphrase.
tripwire --initThe database is stored at (path varies by hostname):
ls /var/lib/tripwire/
# hostname.twd — the signed, encrypted database fileStep 5 — Run an Integrity Check and Read the Report
Run tripwire --check to compare the current filesystem state against the baseline database. Any additions, modifications, or deletions are recorded in an encrypted report file. The command prints a summary to stdout and saves the full report.
# Run integrity check
tripwire --check
# List generated reports
ls /var/lib/tripwire/report/
# Read the latest report in human-readable form
twprint -m r --twrfile /var/lib/tripwire/report/$(ls -t /var/lib/tripwire/report/ | head -1) | lessThe report groups findings by rule and shows the property that changed (e.g., Modified, Added, or Removed) alongside the file path. Investigate any unexpected modifications immediately.
Step 6 — Update the Database and Schedule Nightly Checks
After making legitimate system changes (e.g., package updates), update the Tripwire database to accept the new file states as the trusted baseline. Use --update which opens the report in an editor where you mark accepted changes with an x.
# Update database after legitimate changes
tripwire --update --twrfile /var/lib/tripwire/report/$(ls -t /var/lib/tripwire/report/ | head -1)
# Or update the policy after editing twpol.txt
tripwire --update-policy /etc/tripwire/twpol.txtCreate a systemd timer to run nightly integrity checks and email results. First create the service unit:
cat > /etc/systemd/system/tripwire-check.service << 'EOF'
[Unit]
Description=Tripwire Integrity Check
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/tripwire --check
StandardOutput=journal
StandardError=journal
EOFThen create the timer unit:
cat > /etc/systemd/system/tripwire-check.timer << 'EOF'
[Unit]
Description=Nightly Tripwire Integrity Check
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
EOF
systemctl daemon-reload
systemctl enable --now tripwire-check.timer
# Confirm timer is scheduled
systemctl list-timers tripwire-check.timerConclusion
You have installed and configured Tripwire on RHEL 9 for file integrity monitoring, established a cryptographic baseline database, and set up automated nightly checks via a systemd timer. Tripwire now provides a reliable detection layer for unauthorised filesystem changes that could indicate rootkit installation, configuration tampering, or an active compromise. Review reports daily and update the database only after verifying that changes are from authorised activities.
Next steps: How to Set Up AIDE as an Alternative File Integrity Monitor on RHEL 9, How to Forward Tripwire Alerts to a SIEM with rsyslog on RHEL 9, and How to Encrypt Disk Partitions with LUKS on RHEL 9.
