# Install Tripwire
cd /usr/ports/security/tripwire
make install clean
# Answer questions and set various passwords (remember these passwords) when prompted.
# Setup email addresses for notification as described here:
# http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-tripwire-update-policy.html#S2-TRIPWIRE-EMAIL
vi /usr/local/etc/tripwire/twpol.txt
# Each place (17 places) you see "severity =" add a comma and a new line after that to get an email, example:
(
rulename = "Networking Programs",
severity = $(SIG_HI),
emailto = johnray@domain.com;bob@domain.com
)
# Update your site policy
/usr/local/sbin/twadmin --create-polfile -S /usr/local/etc/tripwire/site.key /usr/local/etc/tripwire/twpol.txt
# Create a new database
/usr/local/sbin/tripwire --init
# Make sure tripwire runs daily
cp /usr/ports/security/tripwire/work/tripwire-2.4.0.1/contrib/tripwire-check /etc/periodic/daily/998.tripwire-check
chmod +x /etc/periodic/daily/998.tripwire-check
# Run tripwire manually as desired (try it at least once now)
/usr/local/sbin/tripwire --check
# Tripwire Reports (*.twr) are kept here: /var/db/tripwire/report/
# Get a list of your reports
ls /var/db/tripwire/report
# View a report
/usr/local/sbin/twprint -m r --twrfile /var/db/tripwire/report/
# NOTE: After you see your first report, you will want to cleanup tripwire's configuration
# to stop checking for things that don't exist, this means deleting lines in twpol.txt
vi /usr/local/etc/tripwire/twpol.txt
# You will then need to update your policy file and create a new database again
/usr/local/sbin/twadmin --create-polfile -S /usr/local/etc/tripwire/site.key /usr/local/etc/tripwire/twpol.txt
/usr/local/sbin/tripwire --init
# Run tripwire manually again and view the new report to verify your policy is error free
# Guide: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/ch-tripwire.html
