How to Install Tripwire IDS on Debian

Tripwire is a file and directory integrity checker that monitors your system for unauthorized changes. By creating a baseline database of file states, it can detect modifications to critical system files, configuration changes, or potential intrusions. This guide covers installation, policy configuration, database initialization, automated checks, troubleshooting, and removal.

Update the System

Before installing new software, refresh your package lists and apply any pending updates:

sudo apt update && sudo apt upgrade

Install Tripwire

Since Tripwire is available in the default Debian repositories, you can install it directly with APT:

sudo apt install tripwire

During installation, a series of configuration dialogs appear. These dialogs set up the cryptographic keys that Tripwire uses to sign and verify its configuration files and database.

Tripwire Key System

The software uses two separate passphrases:

• Site key passphrase: Protects the configuration and policy files. Use this when modifying Tripwire settings. If you manage multiple servers, you can share this key across systems.
• Local key passphrase: Protects the database and reports on this specific machine. Use a unique passphrase for each host.

Store both passphrases securely. If you lose them, you must regenerate the keys and reinitialize the database, losing your integrity baseline.

Respond to Installation Prompts

During installation, you’ll walk through a series of blue dialog screens. If you’ve never seen these before, don’t worry. They’re simple text-based menus. Use Tab to move between buttons and Enter to confirm your choice.

Quick tip: Have a password manager or notepad ready. You’ll create two different passphrases that you’ll need later to manage Tripwire.

Step 1: Acknowledge the Passphrase Warning

The first screen explains that your passphrases will be visible as you type them. This is normal for text-based installers. As long as no one is looking over your shoulder, you’re fine.

What to do: Press Tab until <Ok> is highlighted, then press Enter.

Step 2: Create Your Site Key

Tripwire asks if you want to create a site key now. This key protects your configuration files, so you definitely want one.

What to do: Select <Yes> and press Enter. Then type your site passphrase when prompted. You’ll enter it twice to confirm. Pick something strong but memorable.

Step 3: Create Your Local Key

Now Tripwire wants a second passphrase for the local key. This one protects the database on this specific machine.

What to do: Select <Yes>, then enter a different passphrase than your site key. Using the same passphrase defeats the purpose of having two keys.

Step 4: Build the Configuration File

The installer offers to build and sign your configuration file right now. Say yes to save yourself a manual step later.

What to do: Select <Yes> and press Enter.

Step 5: Build the Policy File

Finally, Tripwire asks to build the policy file. This defines which files and directories get monitored. You want this.

What to do: Select <Yes> and press Enter.

That’s it for the dialogs. The installer finishes, and Tripwire is now installed on your system.

Verify the Installation

Once installation completes, confirm that Tripwire is working correctly:

tripwire --version

You should see output similar to:

Open Source Tripwire(R) 2.4.3.7.0 built for x86_64-pc-linux-gnu

The developer of the original code and/or files is Tripwire, Inc.  Portions 
created by Tripwire, Inc. are copyright 2000-2018 Tripwire, Inc.  Tripwire is a 
registered trademark of Tripwire, Inc.  All rights reserved.

Additionally, the installation creates configuration files in /etc/tripwire/:

ls -la /etc/tripwire/

You should see output similar to:

total 48
drwxr-xr-x 2 root root 4096 Dec 21 00:52 .
drwxr-xr-x 1 root root 4096 Dec 21 00:52 ..
-rw------- 1 root root  931 Dec 21 00:52 hostname-local.key
-rw------- 1 root root  931 Dec 21 00:52 site.key
-rw-r--r-- 1 root root 4586 Dec 21 00:52 tw.cfg
-rw-r--r-- 1 root root 4159 Dec 21 00:52 tw.pol
-rw-r--r-- 1 root root  510 Jun  6  2025 twcfg.txt
-rw-r--r-- 1 root root 6057 Jun  6  2025 twpol.txt

These key files include:

• tw.cfg: Encrypted configuration file
• tw.pol: Encrypted policy file
• twcfg.txt: Plain text configuration source
• twpol.txt: Plain text policy source
• site.key: Site key for signing configuration and policy
• <hostname>-local.key: Local key for signing database and reports

Configure the Policy

By default, the policy monitors many files and directories, but some entries may not exist on your system. As a result, running an integrity check with the default policy often produces warnings about missing files.

Adjust the Report Level (Optional)

Tripwire’s report level controls how much detail appears in reports. By default, the level is set to 3. However, for more verbose output, you can increase it to 4:

sudo nano /etc/tripwire/twcfg.txt

Find the REPORTLEVEL line and change the value from 3 to 4. Then, save with Ctrl+O and exit with Ctrl+X. After modifying the configuration, regenerate the signed configuration file:

sudo twadmin -m F -c tw.cfg -S site.key twcfg.txt

Enter your site passphrase when prompted.

Remove Missing File Entries (Optional)

Similarly, the default policy includes paths that may not exist on all systems. Rather than manually editing the long policy file, you can use a Perl script to comment out entries for nonexistent files. Create the script:

sudo nano /etc/tripwire/twpolmake.pl

Then, paste the following script:

#!/usr/bin/perl
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
     chomp;     if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
         $myhost = `hostname` ; chomp($myhost) ;
         if ($thost ne $myhost) {             
           $_="HOSTNAME=\"$myhost\";" ;         
         }
     }
         elsif ( /^{/ ) {
          $INRULE=1 ;

     }   elsif ( /^}/ ) {
          $INRULE=0 ;
     }
         elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
          $ret = ($sharp =~ s/\#//g) ;
          if ($tpath eq '/sbin/e2fsadm' ) {
          $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
           }
           if (! -s $tpath) {
             $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
           }
         else {
             $_ = "$sharp$tpath$cond" ;
           }
     }
    print "$_\n" ;
}
close(POL) ;

Save and exit. Next, run the script to generate a cleaned policy file:

sudo perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
sudo twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

Enter your site passphrase when prompted.

Initialize the Database

Once the policy is configured, you need to initialize the database, which stores the baseline state of all monitored files:

sudo tripwire --init

When prompted, enter your local passphrase. During initialization, the system scans all files specified in the policy and records their attributes. Consequently, this process may take several minutes on systems with many files.

After initialization, Tripwire saves the database to /var/lib/tripwire/<hostname>.twd. If you want to view the database contents:

sudo twprint -m d -d /var/lib/tripwire/$(hostname).twd | head -50

Run an Integrity Check

After initializing the database, run a check to compare your system against the baseline:

sudo tripwire --check

The command compares current file states against the database and reports any differences. On a freshly initialized system with no changes, the report shows no violations.

All reports are saved in /var/lib/tripwire/report/. To list available reports:

ls -la /var/lib/tripwire/report/

If you need to read a specific report, use:

sudo twprint -m r --twrfile /var/lib/tripwire/report/<report-filename>.twr

Test Detection

You can confirm that Tripwire detects changes by creating test files in a monitored directory and running a check:

sudo touch /root/testfile1 /root/testfile2
sudo tripwire --check

As expected, the report shows the new files as additions. After testing, remove the test files and update the database:

sudo rm /root/testfile1 /root/testfile2
sudo tripwire --update --accept-all

Update the Database After Changes

Whenever you make intentional changes to your system, you should update the Tripwire database to accept those changes as the new baseline:

sudo tripwire --update --accept-all

When prompted, enter your local passphrase. As a result, the command updates the database with the current state of all monitored files.

Alternatively, for interactive review of changes before accepting them, omit the --accept-all flag:

sudo tripwire --update

Without the flag, Tripwire opens an editor where you can mark individual changes to accept or reject.

Schedule Automatic Checks

For continuous monitoring, you can schedule Tripwire to run automatically using cron:

sudo crontab -e

Next, add a line to run integrity checks at your preferred interval. For example, this runs a check daily at 3:00 AM:

0 3 * * * /usr/sbin/tripwire --check --quiet

Alternatively, for checks every 12 hours (at midnight and noon):

0 */12 * * * /usr/sbin/tripwire --check --quiet

The --quiet flag suppresses normal output but still generates reports. If you need cron to email results, remove --quiet and configure a mail transport agent. For help building cron expressions, visit Crontab.Guru.

Troubleshoot Common Issues

No Baseline Database Found

If you see this error:

### Error: File could not be opened.
### Filename: /var/lib/tripwire/hostname.twd

This means the database has not been initialized. To fix this, run:

sudo tripwire --init

Many Warnings About Missing Files

The default policy includes files that may not exist on your system. Use the policy cleanup script described earlier, or manually edit /etc/tripwire/twpol.txt to comment out missing paths. After editing, rebuild the policy:

sudo twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt

Forgot Passphrase

If you lose your passphrases, you must regenerate the keys and reinitialize:

sudo rm /etc/tripwire/*.key /etc/tripwire/tw.cfg /etc/tripwire/tw.pol
sudo rm /var/lib/tripwire/*.twd
sudo dpkg-reconfigure tripwire

Warning: This removes your entire integrity baseline. You lose all historical comparison data.

Permission Denied on Database Files

The software stores its database in /var/lib/tripwire/. If you encounter permission errors, ensure you run commands with sudo. To check ownership:

ls -la /var/lib/tripwire/

All files should be owned by root. If not, you can fix the permissions with:

sudo chown -R root:root /var/lib/tripwire/

Remove Tripwire

If you no longer need Tripwire, uninstall it and remove its dependencies:

sudo apt remove --purge tripwire
sudo apt autoremove

As a result, the --purge flag removes the package and all configuration files in /etc/tripwire/.

Remove Data Files

Warning: The following commands permanently delete all Tripwire databases and reports. This cannot be undone.

If you also want to remove remaining data after uninstalling:

sudo rm -rf /var/lib/tripwire/

Verify Removal

Finally, confirm that Tripwire is no longer installed:

which tripwire

If the command returns no output, removal succeeded.

Additional Resources

For related security monitoring guides:

• Install chkrootkit on Debian for rootkit detection
• Install SSH on Debian for secure remote access
• Configure unattended upgrades on Debian for automatic security updates

Additionally, the official Tripwire open source project is maintained on GitHub.

Conclusion

You now have Tripwire monitoring file integrity on your Debian system. As a result, the baseline database captures the current state of monitored files, and scheduled checks alert you to changes. Remember to update the database after legitimate system changes and review reports regularly.