tripwire(8)
Tripwire is a file integrity monitoring tool that detects unauthorized changes to system files and directories.
Synopsis
tripwire --init [options] | tripwire --check [options] | tripwire --update [options]Description
Tripwire monitors file systems for unauthorized modifications by creating a database of file attributes (checksums, permissions, timestamps, sizes) and comparing them against the current state. It's commonly used to detect intrusions, malware, or accidental changes to critical system files.
The tool requires initial setup: you define which files to monitor in a policy file, initialize a database, then run periodic checks. When changes are detected, Tripwire generates detailed reports identifying what was modified, added, or deleted.
Tripwire uses encrypted policy and database files to prevent tampering by attackers. It's particularly valuable on servers where file integrity must be maintained and audited.
Common options
| Flag | What it does |
|---|---|
--init | Initialize the Tripwire database from the policy file (creates baseline) |
--check | Compare current system state against the database and generate a report |
--update | Update the database with changes verified as legitimate |
--interactive | Run in interactive mode for --update, allowing you to approve/reject changes |
-m P | Specify policy file to use (default: /etc/tripwire/tw.pol) |
-d DATABASE | Specify database file location (default: /var/lib/tripwire/) |
-r REPORT | Specify report file to generate or read |
--email-report | Email the check report to configured recipients |
--version | Display Tripwire version information |
-help | Display help message with available options |
Examples
Initialize the Tripwire database from the default policy file, creating the baseline
tripwire --initRun an integrity check against the database and generate a report
tripwire --checkPerform a check and email the results to the configured recipients
tripwire --check --email-reportUpdate the database with changes documented in a specific report file
tripwire --update -r /var/lib/tripwire/report.twrInteractively review and approve/reject changes before updating the database
tripwire --update --interactiveRun a check using a custom policy file instead of the default
tripwire --check -m /etc/tripwire/custom.polPrint and view a Tripwire report in plain text format
twprint -m r -r /var/lib/tripwire/report.twr | lessInitialize the database with verbose output showing all files being scanned
tripwire --init --verbose