How to Set Up Tripwire for File Integrity Monitoring on RHEL 7

How to Set Up Tripwire for File Integrity Monitoring on RHEL 7

File Integrity Monitoring (FIM) is the practice of detecting unauthorised changes to critical system files, configuration files, and binaries. When an attacker compromises a system, they often modify files to install backdoors, alter logging behaviour, or escalate privileges. Tripwire creates a cryptographic baseline of your filesystem, then compares future snapshots against that baseline to detect any additions, modifications, or deletions. This tutorial covers installing Tripwire on RHEL 7, generating cryptographic keys, creating the policy and configuration files, initialising the baseline database, running integrity checks, and scheduling automated monitoring with cron.

Prerequisites

• RHEL 7 server with root or sudo access
• EPEL repository enabled (or Tripwire source archive if installing from source)
• At least 200 MB free disk space for the Tripwire database
• A freshly installed or known-good system state before initialising the baseline
• Basic familiarity with the Linux filesystem hierarchy

Step 1: Install Tripwire

Tripwire is available in the EPEL repository for RHEL 7. Enable EPEL and install the package:

sudo yum install -y epel-release
sudo yum install -y tripwire

Verify the installation:

tripwire --version
# Tripwire(R) 2.4.x.x Open Source, (C) 1998-2016 Tripwire, Inc.

The key files and directories installed by the package are:

• /etc/tripwire/ — configuration files
• /var/lib/tripwire/ — encrypted policy, database, and report files
• /usr/sbin/tripwire — main scanner binary
• /usr/sbin/twadmin — administrative utility for key and policy management
• /usr/sbin/twprint — report and database viewer

Step 2: Generate Site and Local Keys

Tripwire uses two separate passphrases and key files. The site key encrypts configuration and policy files (shared across multiple machines running the same policy). The local key encrypts the database (unique to each monitored host). Generate both keys using twadmin --generate-keys:

sudo twadmin --generate-keys --site-keyfile /etc/tripwire/site.key

You will be prompted to enter and confirm a site passphrase. Choose a strong passphrase and store it securely — losing this passphrase means you cannot update the policy or configuration.

Enter the site keyfile passphrase: **********************
Verify the site keyfile passphrase: **********************
Generating key (this may take several minutes)...Key generation complete.

Generate the local key:

sudo twadmin --generate-keys --local-keyfile /etc/tripwire/$(hostname)-local.key

Enter a different passphrase for the local key. Set restrictive permissions on both key files:

sudo chmod 600 /etc/tripwire/site.key
sudo chmod 600 /etc/tripwire/$(hostname)-local.key

Step 3: Create the Encrypted Configuration File

The plain-text template configuration file is at /etc/tripwire/twcfg.txt. Review it and adjust paths if needed, then create the encrypted signed configuration file using twadmin --create-cfgfile. The --cfgfile flag specifies the output encrypted file:

sudo twadmin --create-cfgfile 
  --cfgfile /etc/tripwire/tw.cfg 
  --site-keyfile /etc/tripwire/site.key 
  /etc/tripwire/twcfg.txt

Enter the site passphrase when prompted. The resulting tw.cfg is a signed, encrypted binary that cannot be tampered with without knowledge of the site key. Verify the encrypted config was created:

ls -lh /etc/tripwire/tw.cfg
# -rw------- 1 root root 4.5K May 17 10:00 /etc/tripwire/tw.cfg

Step 4: Create the Encrypted Policy File

The policy file defines which files and directories to monitor and which properties to check (permissions, ownership, size, MD5 hash, SHA1 hash, etc.). The default policy template is at /etc/tripwire/twpol.txt. Review and customise it for your system. Key sections to understand:

# Example policy rule syntax in twpol.txt:
/bin              -> $(ReadOnly) ;
/sbin             -> $(ReadOnly) ;
/lib              -> $(ReadOnly) ;
/etc/passwd       -> $(SEC_CONFIG) ;
/etc/shadow       -> $(SEC_CONFIG) ;
/etc/hosts        -> $(SEC_CONFIG) ;
/var/log          -> $(LOG_FILES) ;
/tmp              -> $(TEMPORARY) ;
/root             -> $(SEC_SENSITIVE) ;

Create the encrypted, signed policy file from the plain-text template:

sudo twadmin --create-polfile 
  --cfgfile /etc/tripwire/tw.cfg 
  --site-keyfile /etc/tripwire/site.key 
  /etc/tripwire/twpol.txt

Enter the site passphrase. The output is /var/lib/tripwire/policy/tw.pol.

Step 5: Initialise the Baseline Database

The baseline database records the current cryptographic state of all files and directories defined in your policy. This must be run on a known-good system — ideally immediately after OS installation before any services are configured:

sudo tripwire --init 
  --cfgfile /etc/tripwire/tw.cfg 
  --polfile /var/lib/tripwire/policy/tw.pol 
  --site-keyfile /etc/tripwire/site.key 
  --local-keyfile /etc/tripwire/$(hostname)-local.key

Enter the local passphrase when prompted. Tripwire will scan all monitored paths and build the database. Files that do not exist on your system (because the default policy references files from all possible service configurations) will generate warnings:

### Warning: File system error.
### Filename: /etc/sendmail.cf
### No such file or directory
### Continuing...

These warnings are expected on a minimal install. Remove the corresponding rules from /etc/tripwire/twpol.txt, recreate the policy file, and re-run --init to eliminate noise from future reports. The database is stored at:

ls -lh /var/lib/tripwire/$(hostname).twd

Step 6: Run an Integrity Check

Run tripwire --check to compare the current filesystem state against the baseline database:

sudo tripwire --check 
  --cfgfile /etc/tripwire/tw.cfg 
  --polfile /var/lib/tripwire/policy/tw.pol 
  --local-keyfile /etc/tripwire/$(hostname)-local.key

Tripwire prints a summary to stdout and writes a detailed binary report to /var/lib/tripwire/report/. The summary shows counts of added, modified, and removed objects by rule category.

Step 7: Read Reports with twprint

Binary report files must be decoded with twprint. Find the most recent report file and print it in human-readable format:

REPORT=$(ls -t /var/lib/tripwire/report/*.twr | head -1)
sudo twprint --print-report 
  --cfgfile /etc/tripwire/tw.cfg 
  --local-keyfile /etc/tripwire/$(hostname)-local.key 
  --twrfile "$REPORT"

The output lists each modified file with a property-by-property breakdown. For example, a modified /etc/hosts entry might show:

Modified:
  "/etc/hosts"
    Inode Number: 1 changed.
    Last Modified: changed.
    SHA Hash: changed.

Step 8: Update the Database After Authorised Changes

After applying patches or making authorised configuration changes, update the Tripwire database to record the new baseline. First review the report, then accept the changes interactively:

sudo tripwire --update 
  --cfgfile /etc/tripwire/tw.cfg 
  --polfile /var/lib/tripwire/policy/tw.pol 
  --local-keyfile /etc/tripwire/$(hostname)-local.key 
  --twrfile "$REPORT"

Tripwire opens the report in your default editor. Comment out any changes you do not want to accept, save, and exit. You will be prompted for the local passphrase to re-sign the updated database.

Step 9: Schedule Automated Integrity Checks with Cron

Automate daily integrity checks and email the results to an administrator. Create a cron script:

sudo vi /etc/cron.daily/tripwire-check

Add the following content:

#!/bin/bash
HOSTNAME=$(hostname)
ADMIN_EMAIL="[email protected]"
LOCAL_KEY="/etc/tripwire/${HOSTNAME}-local.key"
REPORT_DIR="/var/lib/tripwire/report"

# Run integrity check
tripwire --check 
  --cfgfile /etc/tripwire/tw.cfg 
  --polfile /var/lib/tripwire/policy/tw.pol 
  --local-keyfile "${LOCAL_KEY}" 
  --email-report

# Find the latest report and mail it
LATEST_REPORT=$(ls -t "${REPORT_DIR}"/*.twr 2>/dev/null | head -1)
if [ -n "$LATEST_REPORT" ]; then
    twprint --print-report 
      --cfgfile /etc/tripwire/tw.cfg 
      --local-keyfile "${LOCAL_KEY}" 
      --twrfile "$LATEST_REPORT" | 
    mail -s "Tripwire Integrity Report: ${HOSTNAME}" "$ADMIN_EMAIL"
fi

Make the script executable:

sudo chmod 750 /etc/cron.daily/tripwire-check

Test it manually before relying on cron:

sudo /etc/cron.daily/tripwire-check

Conclusion

Tripwire is now monitoring your RHEL 7 filesystem and will alert you to any unauthorised changes. The combination of cryptographically signed databases and policies means that even a privileged attacker cannot silently alter the Tripwire database without the site and local passphrases. Keep these passphrases stored securely offline, never on the monitored server itself. Store a copy of the baseline database on an external, read-only system so that if the server is compromised, you have an authentic reference point for forensic comparison. Revisit and tighten the policy file regularly to monitor newly deployed services and reduce false-positive noise from expected system activity.