Tripwire filesystem integrity checking

Install Tripwire:

apt-get install tripwire

Skip Tripwire initialization during the installation.

To initialize Tripwire, you need to setup

twcfg.txt

twpol.txt

tw.cfg, tw.pol

Generate the site and local keys:

DIR=/etc/tripwire
SITE_KEY=$DIR/site.key
LOCAL_KEY=$DIR/`hostname`-local.key
twadmin --generate-keys --site-keyfile $SITE_KEY
twadmin --generate-keys --local-keyfile $LOCAL_KEY

Remember the passphrase.
Two new files, site.key and desktop...-local.key, appear in directory /etc/tripwire.

The default configuration file, /etc/tripwire/twcfg.txt, is okay to use as it is. It sets the paths and some env. variables.
The policy file contains rule names, severity levels, and the file systems list.

Modify the policy file, /etc/tripwire/twpol.txt as follows:

/root

/etc/rc.boot

/proc

/dev

!/dev/pts ; !/dev/shm ;

The site key encrypts/signs the configuration and policy files, tw.cfg, tw.pol; the local key encrypts/signs the database. Sign the configuration and policy files:

twadmin --create-cfgfile --cfgfile $DIR/tw.cfg  --site-keyfile $SITE_KEY $DIR/twcfg.txt
twadmin --create-polfile --cfgfile $DIR/tw.cfg  --site-keyfile $SITE_KEY $DIR/twpol.txt

The new files tw.cfg and tw.pol are encrypted with site.key and not human readable.

Build the Tripwire database and sign it with the local key:

tripwire --init

Remove the text configuration and policy files for better protection:

rm twcfg.txt twpol.txt

Note, in case you need to modify them, they can be extracted from tw.cfg and tw.pol:

twadmin --print-cfgfile > twcfg.txt
twadmin --print-polfile > twpol.txt

Run system integrity check:

tripwire --check

Create a new file, /etc/newfile.txt and run the integrity check again.

Print the last tripwire report:

LAST_REPORT=$(ls -1t /var/lib/tripwire/report/* | head -1)
twprint  --print-report  --twrfile  $LAST_REPORT