How to Install Tripwire Intrusion Detection System on Debian 11
Tripwire is an Intrusion Detection System. It monitors the server's filesystem and detects unauthorized changes to files and directories.
This guide shows you how to install Tripwire, configure a basic list of files to monitor for changes, and automate the Tripwire filesystem scan.
This guide is for Open Source Tripwire; do not confuse Open Source Tripwire with the commercial version of Tripwire, which is a different software package.
- Deploy a Debian 11 cloud server at Vultr.
- Update the server.
- Create a non-root user with sudo privileges.
- Log in to your server as the non-root user.
1. Install Tripwire
$ sudo apt-get update
$ sudo apt-get install tripwire
During installation, you are prompted to create site keys and local keys. Select
No at both prompts; you will generate the keys manually in the next step.
2. Generate Keys
Tripwire's policy, database, and configuration files are signed by site keys and local keys, which are protected by passphrases. This ensures that your Tripwire configuration cannot be changed without the passphrase.
Make sure you choose memorable and secure passphrases for both keys. You will need them whenever you edit the Tripwire policy or configuration.
Generate the local key.
$ sudo twadmin --generate-keys -L /etc/tripwire/tripwire-local.key
Generate the site key.
$ sudo twadmin --generate-keys -S /etc/tripwire/tripwire-site.key
3. Configure Tripwire
Edit the Configuration File
Open the configuration file
/etc/tripwire/twcfg.txt and edit the following lines to include your site and local keys:
twadmin to sign the edited configuration file.
$ sudo twadmin --create-cfgfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twcfg.txt
Tripwire prompts you to enter the site key's passphrase. It then saves the signed configuration file to
If you make changes to the configuration file in the future, you must re-sign it with the site key.
Create a Policy File
The policy file specifies which directories and files will be monitored for changes. A default policy is provided with Tripwire, but it is complex. You will create a basic policy for this guide which only monitors the
Move the default policy to a different file.
$ sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.old.txt
Create a new policy file called
/etc/tripwire/twpol.txt and add the following rule to it:
/etc -> $(ReadOnly);
This rule tells Tripwire to scan the entire
/etc directory, and to treat the files inside as read-only.
Sign the policy file using the site key.
$ sudo twadmin --create-polfile -S /etc/tripwire/tripwire-site.key /etc/tripwire/twpol.txt
Tripwire prompts you to enter the site key's passphrase. It then saves the signed policy file to
If you make changes to the policy file in the future, you must re-sign it with the site key.
5. Initialize Tripwire
Tripwire maintains a database of files, which it uses to run checks. Whenever you edit a policy, you should re-generate the database.
Generate the initial Tripwire database.
$ sudo tripwire --init
Tripwire prompts you to enter the local key's passphrase.
6. Run a Tripwire Check
You are now ready to run a filesystem check.
$ sudo tripwire --check -r report.twr
Tripwire generates a filesystem report and saves it as
report.twr in your current working directory. It also outputs a plain text version of the report to the terminal. You should see in the
Rule Summary section that no files have been added, removed, or modified.
To test your policy, create a new file in the
$ sudo touch /etc/test.txt
Re-run the Tripwire check.
$ sudo tripwire --check -r report.twr
You should now see that Tripwire detects the file
/etc/test.txt, and lists it in the report.
You can now update the Tripwire database to include the new file, which will prevent it from appearing on future reports.
$ sudo tripwire --update -a -r report.twr
Optional: Automate Tripwire Checks using Cron
Cron is a task scheduler that is used to run programs automatically.
Edit the root crontab file.
$ sudo crontab -u root -e
Add the following line, which will run hourly Tripwire checks on the server.
0 * * * * /usr/sbin/tripwire --check
Cron sends the command output to the mail file
/var/mail/mail. Tripwire stores the reports it generates in
/var/lib/tripwire/report/, which you can use to update the Tripwire database.
You can learn more about using cron to schedule tasks in this Vultr Docs article.
Now that you have installed and configured Tripwire, you should consider which other files on your server need to be monitored for changes and add them to the policy file. You can learn how to write more advanced policies and find examples on the Tripwire GitHub repository.