File Integrity Monitoring (FIM) detects unauthorized changes to critical system files, binaries, and configuration directories — a key control for detecting intrusions and satisfying compliance requirements such as PCI-DSS and CIS benchmarks. Tripwire Open Source computes cryptographic hashes of monitored files at a baseline and alerts you to any subsequent modifications. This tutorial covers installing Tripwire from EPEL on RHEL 8, initializing the baseline database, running checks, reading reports, and automating nightly scans. Early detection of unexpected file changes can be the difference between a contained incident and a full compromise.

Prerequisites

  • RHEL 8 server with EPEL 8 repository enabled
  • Root or sudo access
  • EPEL enabled: dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
  • System in a known-good, freshly patched state before initializing the database
  • cronie installed for scheduling (dnf install -y cronie)

Step 1 — Install Tripwire from EPEL

EPEL 8 provides the Tripwire Open Source package. Install it and verify the binaries are available.

dnf install -y epel-release
dnf install -y tripwire
tripwire --version
ls /etc/tripwire/

Key configuration files installed under /etc/tripwire/:

  • twcfg.txt — Tripwire configuration (paths, report format)
  • twpol.txt — Policy file defining which files to monitor and what attributes to check
  • site.key and local.key — Signing keys generated during setup

Step 2 — Run twinstall.sh to Generate Keys and Signed Configuration

The installation script generates cryptographic keys and compiles the plaintext policy and configuration into signed binary files. You will be prompted to set a site passphrase (protects the policy and config) and a local passphrase (protects the database).

twinstall.sh
# Prompts:
#  Please enter your site passphrase: 
#  Please enter your local passphrase: 

# Verify signed files were created
ls -lh /etc/tripwire/tw.cfg /etc/tripwire/tw.pol

Store both passphrases securely in a password manager. Loss of the local passphrase means you cannot update the database after planned changes.

Step 3 — Initialize the Baseline Database

The --init mode scans all files defined in the policy and records their cryptographic fingerprints. Run this immediately after the system is in a known-good state, before exposing it to network traffic.

tripwire --init
# Prompts for local passphrase

# Verify the database was created
ls -lh /var/lib/tripwire/*.twd
# Expected: /var/lib/tripwire/.twd

The initial scan may take several minutes depending on how many files the policy covers. The default RHEL policy monitors /bin, /sbin, /lib, /etc, and other critical directories.

Step 4 — Run an Integrity Check and Read the Report

Use --check to compare the current filesystem state against the baseline database. Tripwire writes a binary report file that you then read with twprint.

# Run integrity check
tripwire --check

# List generated reports
ls -lht /var/lib/tripwire/report/

# Print the most recent report in human-readable format
twprint -m r --twrfile /var/lib/tripwire/report/*.twr | less

# Print only violations (Added, Removed, Modified sections)
twprint -m r --twrfile /var/lib/tripwire/report/*.twr | 
  grep -A 5 "Modified:|Added:|Removed:"

The report lists each violation with the filename, rule name, and which attributes changed (inode, permissions, hash, ownership). Investigate every Modified entry in /etc, /bin, or /sbin — these are the highest-risk categories.

Step 5 — Update the Database After Planned Changes

After applying a package update or making an intentional configuration change, update the Tripwire database so future checks do not flag expected differences as violations.

# Update the database using the most recent report
tripwire --update --twrfile /var/lib/tripwire/report/*.twr
# Prompts for local passphrase

# Or update only specific files (targeted update)
tripwire --update-policy /etc/tripwire/twpol.txt
# Prompts for site passphrase

# After a dnf update, re-initialize is the safest option
dnf update -y
tripwire --init

Step 6 — Schedule Nightly Integrity Checks with cron

Automate daily checks and email the report to the system administrator. Store a passphrase file with restricted permissions to allow unattended runs — ensure only root can read it.

# Create a wrapper script for unattended checks
cat > /usr/local/bin/tripwire-nightly.sh <> /etc/cron.d/tripwire

# Verify cron is running
systemctl enable --now crond
crontab -l

Conclusion

Tripwire is now monitoring your RHEL 8 system’s critical files, alerting you to any unauthorized modifications via nightly reports. Combine Tripwire with SELinux, auditd, and firewalld to build a layered defense that detects both external intrusions and insider threats. Review every report, investigate unexpected changes promptly, and update the baseline only after verifying changes are legitimate.

Next steps: How to Configure auditd for Advanced System Auditing on RHEL 8, How to Encrypt Disk Partitions with LUKS on RHEL 8, and How to Scan for Vulnerabilities with OpenVAS on RHEL 8.