RedHat seems to have dropped tripwire from RHEL as of 3. Luckily, the wonderful fedora project is still updating it. The SRPM mentioned in this HOWTO builds clean on RHEL 3, so I’m going to start there.
And, this script looks promising, as the default policy looks a little crufty.
The gentoo policy is based off the policy that comes with the RedHat package, so it’s not much help.
A few quick commands:
Set initial passwords:
/etc/tripwire/twinstall.sh
To initialize the database:
/usr/sbin/tripwire --init
To run a report:
/usr/sbin/tripwire --check
To update the database after changing the policy (after resolving any errors):
/usr/sbin/tripwire --update-policy /etc/tripwire/twpol.txt
Both the RedHat/Fedora RPM and the gentoo ebuild include a cron.daily script to run a report, mailing output to root.
Some of the monitoring in the default twpol.txt seems to be a little overboard, but those details will work out over time.
Update (3/27/2004):
Another handy command:
/usr/sbin/tripwire --update --twrfile /var/lib/tripwire/report/yourmachinename-date-time.twr