# cd /etc/tripwire
# ./twinstall.sh
# tripwire –init
# rm twcfg.txt twpol.txt

The script twinstall.sh performs the following tasks within the directory /etc/tripwire:

• Creates the site key and the local key, prompting you to enter their passphrases. (If the keys exist, this step is skipped.) The site key is stored in site.key, and the local key in hostname-local.key, where hostname is the hostname of the machine.
• Signs the default configuration file, twcfg.txt, with the site key, creating tw.cfg.
• Signs the default policy file, twpol.txt, with the site key, creating tw.pol.

If for some reason your system doesn’t have twinstall.sh, equivalent manual steps are:

Helpful variables:
DIR=/etc/tripwire
SITE_KEY=$DIR/site.key
LOCAL_KEY=$DIR/`hostname`-local.key

Generate the site key:
# twadmin –generate-keys –site-keyfile $SITE_KEY

Generate the local key:
# twadmin –generate-keys –local-keyfile $LOCAL_KEY

Sign the configuration file:
# twadmin –create-cfgfile –cfgfile $DIR/tw.cfg \
–site-keyfile $SITE_KEY $DIR/twcfg.txt

Sign the policy file:
# twadmin –create-polfile –cfgfile $DIR/tw.cfg \
–site-keyfile $SITE_KEY $DIR/twpol.txt

Set appropriate permissions:
# cd $DIR
# chown root:root $SITE_KEY $LOCAL_KEY tw.cfg tw.pol
# chmod 600 $SITE_KEY $LOCAL_KEY tw.cfg tw.pol

(Or chmod 640 to allow a root group to access the files.)

These steps assume that your default configuration and policy files exist: twcfg.txt and twpol.txt, respectively. They should have been supplied with the Tripwire distribution. Undoubtedly you’ll need to edit them to match your system.

Next, tripwire builds the Tripwire database and signs it with the local key:

# tripwire –init

Enter the local key passphrase to complete the operation. If tripwire produces an error message like “Warning: File System Error,” then your default policy probably refers to nonexistent files. These are not fatal errors: tripwire still ran successfully. At some point you should modify the policy to remove these references.

The last step, which is optional but recommended, is to delete the plaintext (unencrypted) policy and configuration files:

# rm twcfg.txt twpol.txt

Break-ins of this kind can be detected by an integrity checker : a program that periodically inspects important system files for unexpected changes. The very first security measure you should take when creating a new Linux machine, before you make it available to networks and other users, is to “snapshot” (record) the initial state of your system files with an integrity checker. If you don’t, you cannot reliably detect alterations to these files later. This is vitally important!

Tripwire is the best known open source integrity checker. It stores a snapshot of your files in a known state, so you can periodically compare the files against the snapshot to discover discrepancies. In our example, if /bin/login and /bin/ls were in Tripwire’s snapshot, then any changes in their size, inode number, permissions, or other attributes would catch Tripwire’s attention. Notably, Tripwire detects changes in a file’s content, even a single character, by verifying its checksum.