Tripwire is designed to detect modifications to files and directories and to alert you of any changes. Even though quiet a large amount of effort is needed to configure and run this program, it is very essential for high-profile systems that are exposed directly to the internet.
Tripwire works by storing important information about system directories and files it finds in a database. This information includes date and time, file size and checksums (to detect any modifications to critical system files). Once the database is in place, it works as a referance and should be updated regularly. Tripwire can be run as a cron to be updated daily so that in the event of a breach tripwire can warn you as early as possible by mail.
Tripwire encrypts it’s own data from possible tampering by intruders, so that tripwire can read it but cannot write it without a password.
First of all before one starts using tripwire it is important to create key files, if it hasn’t created already during installation. You can manually crate tripwire key with twadmin utility that come with tripwire:
twadmin –generate-keys -S /etc/tripwire/site.key
Next up you can create the database by typing tripwire –init the program will ask you for your passphrase.
Performing system integrity check is straight forward. Type tripwire –check. This process is likely to take several minutes. When it’s done, it creates a report that it stores in the REPORTFILE directory, as specified in the configuration file. Tripwire may also e-mail the report to the account specified with the GLOBALEMAIL variable, but only if Tripwire found problems or MAILNOVIOLATIONS is set to true. The command also sends the report to stdout, so you can see it on the screen. The report is fairly verbose, but pay particular attention to the filesystem summary section.
That’s more or less sums up the basic functions of tripwire, for more in depth details check out the man files.