Debian

How to Install Tripwire IDS on Debian 13, 12 and 11

Last updated Monday, June 8, 2026 8:52 am Joshua James 7 min read
Tripwire and Debian logos representing file integrity monitoring installation on Debian Linux

Installing Tripwire IDS on Debian gives administrators file integrity monitoring through a signed baseline, so unexpected system-file changes stand out from planned package updates or configuration work. Debian 13, 12, and 11 provide Open Source Tripwire 2.4.3.7 from the default main repository, making APT the right starting point.

Debian 12 Bookworm needs an extra check after installation because affected Bookworm builds can hit a tripwire --init segmentation fault before the baseline database is created. If initialization fails, stop before treating Tripwire monitoring as active.

Update Debian Before Installing Tripwire

Refresh your package lists and apply pending updates before installing a security monitoring tool:

sudo apt update && sudo apt upgrade

If your account cannot run sudo, configure administrative access first with the Debian sudoers setup guide, then return to this installation.

Install Tripwire IDS on Debian

Install the Tripwire package on Debian with APT:

sudo apt install tripwire

The Debian package installs Tripwire’s command-line tools under /usr/sbin. If the system does not already have a mail transport package, APT can also install one because Tripwire supports rule-level email notifications. Most Tripwire commands in this workflow use sudo so the sbin path and root-owned Tripwire files are available.

The upstream Open Source Tripwire project is maintained on GitHub, but Debian users should use the packaged build unless they have a specific source-build requirement.

Check Debian Version Behavior

The install command works across the supported Debian releases, but baseline initialization differs by release:

Debian releasePackage behavior
Debian 13 (Trixie)The APT package installs cleanly, and the policy rebuild, database initialization, integrity check, and report-reading workflow complete normally.
Debian 12 (Bookworm)The package installs and the policy can be rebuilt, but tripwire --init can fail with a segmentation fault before the database is created. Check the Debian 12 troubleshooting note before relying on Tripwire for monitoring.
Debian 11 (Bullseye)The APT package installs cleanly, and the policy rebuild, database initialization, integrity check, and report-reading workflow complete normally.

Understand the Tripwire Key System

Tripwire uses two separate passphrases during the Debian package configuration:

  • Site key passphrase: Protects the signed configuration and policy files. Use this passphrase when you rebuild tw.cfg or tw.pol.
  • Local key passphrase: Protects the database and reports on this specific host. Use a unique local key for each system you monitor.

Store both passphrases securely. If you lose them, you must regenerate the keys and reinitialize the database, which discards the old integrity baseline.

Respond to Debian Package Prompts

In an interactive terminal, Debian shows debconf prompts while configuring Tripwire. Use Tab to move between buttons and Enter to confirm a highlighted choice.

  1. Accept the warning about creating or using the site key during installation.
  2. Choose <Yes> when asked to create or use the site key, then enter the site passphrase twice.
  3. Choose <Yes> when asked to create or use the local key, then enter a different local passphrase twice.
  4. Choose <Yes> to rebuild the Tripwire configuration file.
  5. Choose <Yes> to rebuild the Tripwire policy file.

Debian can also show a note that Tripwire no longer emails one daily compliance report by default. Keep report review local unless you later configure rule-level email recipients in the policy and a working local mail transport.

After those prompts, the package creates the signed configuration, signed policy, site key, and local key under /etc/tripwire/.

Verify the Tripwire Installation

Confirm the installed Tripwire version with sudo:

sudo tripwire --version

On x86_64 Debian, relevant output includes:

Open Source Tripwire(R) 2.4.3.7.0 built for x86_64-pc-linux-gnu

Then list the package-created files:

sudo find /etc/tripwire -maxdepth 1 -type f -printf '%f\n' | sort

Expected files include:

<hostname>-local.key
site.key
tw.cfg
twcfg.txt
tw.pol
twpol.txt

Configure the Tripwire Policy

Tripwire’s default policy covers many system paths, but some entries may not exist on every Debian installation. Clean the missing-path noise before initializing the database so later reports are easier to read.

Adjust Report Verbosity

Tripwire’s default report level is 3. If you want more verbose reports, edit the text configuration source:

sudo nano /etc/tripwire/twcfg.txt

Find REPORTLEVEL, change 3 to 4, save the file, then rebuild the signed configuration:

sudo twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

Enter the site key passphrase when prompted.

Remove Missing File Entries

Create a small helper script that comments out policy entries for files missing on the current host and updates the policy hostname:

sudo nano /etc/tripwire/twpolmake.pl

Paste the following Perl script:

#!/usr/bin/perl
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
     chomp;     if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
         $myhost = `hostname` ; chomp($myhost) ;
         if ($thost ne $myhost) {
           $_="HOSTNAME=\"$myhost\";" ;
         }
     }
         elsif ( /^{/ ) {
          $INRULE=1 ;

     }   elsif ( /^}/ ) {
          $INRULE=0 ;
     }
         elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
          $ret = ($sharp =~ s/\#//g) ;
          if ($tpath eq '/sbin/e2fsadm' ) {
          $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
           }
           if (! -s $tpath) {
             $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
           }
         else {
             $_ = "$sharp$tpath$cond" ;
           }
     }
    print "$_\n" ;
}
close(POL) ;

Save the script, then generate a cleaned policy source and rebuild the signed policy:

sudo perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt | sudo tee /etc/tripwire/twpol.txt.new > /dev/null
sudo twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new

Enter the site key passphrase when twadmin asks for it. Using full paths matters here; relative paths such as tw.cfg fail unless your shell is already inside /etc/tripwire/.

Initialize the Tripwire Database

Initialize the database after the policy is ready. This database becomes the baseline Tripwire compares against future checks:

sudo tripwire --init

Enter the local key passphrase when prompted. A first-run warning that /var/lib/tripwire/<hostname>.twd does not exist is expected because Tripwire is creating that database file.

View the beginning of the database inventory if you want to confirm that the file was created:

sudo twprint -m d -d "/var/lib/tripwire/$(hostname).twd" | head -50

Run a Tripwire Integrity Check

Run an integrity check to compare current file states against the signed baseline:

sudo tripwire --check

Tripwire can exit with a nonzero status for warnings or detected differences, so read the report summary before assuming the command failed. On a newly initialized system, the first report can still flag Tripwire data or report files that changed after the baseline was written; review those paths before deciding whether to tune the policy or accept the change.

Reports are stored under /var/lib/tripwire/report/:

sudo ls -la /var/lib/tripwire/report/

Read a specific report with twprint:

sudo twprint -m r --twrfile /var/lib/tripwire/report/<report-filename>.twr

Test File Change Detection

To confirm that Tripwire detects file additions, create a temporary file under a monitored directory and run another check:

sudo touch /root/lc-tripwire-test
sudo tripwire --check

The report should list the test file as an addition. Remove the file after the test and run another check when you want to confirm the temporary change is gone:

sudo rm /root/lc-tripwire-test
sudo tripwire --check

Do not accept temporary test files into the Tripwire database. Use database updates only for intentional system changes you want to make part of the new baseline.

Update the Tripwire Database After Legitimate Changes

When a package update, configuration edit, or other planned change should become part of the baseline, run a fresh check first, review the report, then update the database from that report:

sudo tripwire --check
sudo tripwire --update --twrfile /var/lib/tripwire/report/<report-filename>.twr

The update mode opens an editor where checked entries are accepted into the database. Remove the marker next to any change you do not want to accept, then save and exit. Use --accept-all only after you have already reviewed the report and want every listed change accepted without an editor.

Update Tripwire on Debian

Debian updates Tripwire through the normal APT package flow. Refresh package metadata, then upgrade the installed Tripwire package when a newer build is available:

sudo apt update
sudo apt install --only-upgrade tripwire

If APT upgrades Tripwire or other monitored packages, run a check afterwards, review the report, and update the database only for expected package changes. Do not use Tripwire’s database update step as a substitute for reading the report.

For automatic patching, configure unattended security upgrades on Debian separately; Tripwire reports file changes after updates run, but it does not install security updates itself.

Schedule Tripwire Checks

The Debian package installs a daily cron job at /etc/cron.daily/tripwire. Confirm it exists before adding another schedule:

sudo ls -l /etc/cron.daily/tripwire

If the packaged daily cadence is enough, you do not need a separate root crontab entry. To run checks at a different interval, edit root’s crontab:

sudo crontab -e

For example, this entry runs a quiet check every 12 hours:

0 */12 * * * /usr/sbin/tripwire --check --quiet

The --quiet flag suppresses normal output but still creates reports. The packaged cron job includes --email-report, but Debian’s packaged Tripwire uses rule-level email recipients rather than one global daily-report prompt. Configure the local mail transport and policy mail settings before relying on cron email. For custom timing, test the expression with a tool such as Crontab.Guru.

Troubleshoot Tripwire on Debian

Tripwire Command Not Found

On Debian, tripwire, twadmin, and twprint are installed under /usr/sbin. A normal user shell may not include that directory in PATH. Run Tripwire commands with sudo, or call the binary by its full path:

sudo tripwire --version
/usr/sbin/tripwire --version

Debian 12 tripwire --init Segmentation Fault

On affected Debian 12 Bookworm systems, database initialization stops before writing a usable baseline:

sudo tripwire --init

The failure appears as:

Software interrupt forced exit: Segmentation Fault

This matches Debian Tripwire bug #1053286 for the Bookworm-era 2.4.3.7-4 package series. Confirm your installed candidate before troubleshooting policy syntax:

apt-cache policy tripwire

If the command shows a Bookworm 2.4.3.7-4 build and sudo tripwire --init segfaults, do not continue as if monitoring is active. Use a Debian release with a working Tripwire baseline, wait for a fixed Bookworm package, or choose another file-integrity monitoring tool for that host.

No Baseline Database Found

If a check reports that the database file cannot be opened, the baseline has not been initialized or the database was removed:

sudo tripwire --check

The report error looks similar to:

### Error: File could not be opened.
### Filename: /var/lib/tripwire/hostname.twd

Initialize the database again:

sudo tripwire --init

Many Warnings About Missing Files

If reports are dominated by missing paths from the default policy, rerun the policy cleanup script from the configuration section and rebuild the signed policy:

sudo perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt | sudo tee /etc/tripwire/twpol.txt.new > /dev/null
sudo twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new

After changing the policy, initialize the database again so the baseline matches the new policy.

Forgot Tripwire Passphrase

If you lose the site or local passphrase, regenerate the keys and rebuild the configuration:

sudo rm -f /etc/tripwire/*.key /etc/tripwire/tw.cfg /etc/tripwire/tw.pol
sudo rm -f /var/lib/tripwire/*.twd
sudo dpkg-reconfigure tripwire

Regenerating the keys removes the existing integrity baseline. Reinitialize the database after reconfiguration and treat earlier reports as historical only.

Permission Denied on Database Files

Tripwire stores databases and reports under /var/lib/tripwire/, which is root-owned. Use sudo for database, report, and policy commands. To inspect ownership:

sudo ls -la /var/lib/tripwire/

If the ownership was changed accidentally, restore root ownership:

sudo chown -R root:root /var/lib/tripwire/

Remove Tripwire from Debian

If you no longer need Tripwire, purge the package first:

sudo apt purge tripwire

Review orphaned dependencies separately before removing them. Tripwire can pull in mail transport packages, and another service may depend on those packages on a real server:

sudo apt-get -s autoremove --purge

If the preview lists only packages you no longer need, run the real cleanup:

sudo apt autoremove --purge

Remove Remaining Tripwire Data

The cleanup command permanently deletes Tripwire configuration, keys, databases, and reports. Keep a backup first if you need historical integrity records.

sudo rm -rf /etc/tripwire/ /var/lib/tripwire/

Verify Tripwire Removal

Confirm that Tripwire no longer has an installed package record:

dpkg-query -W -f='${db:Status-Abbrev} ${binary:Package}\n' tripwire 2>/dev/null | grep '^ii' || echo "Tripwire is not installed"

Relevant output should show:

Tripwire is not installed

Conclusion

When initialization succeeds, Tripwire is installed from Debian’s default repository with signed configuration files, a local integrity database, and a repeatable check workflow. Review reports before accepting baseline changes, and pair file integrity monitoring with related controls such as chkrootkit rootkit scans on Debian and Fail2Ban login protection on Debian.

Follow LinuxCapable

Want more LinuxCapable guides in Google?

Add LinuxCapable as a preferred source so Google can show more of our fresh Linux tutorials in Top Stories and From your sources when relevant.

Add LinuxCapable as a preferred source on Google
Search LinuxCapable

Need another guide?

Search LinuxCapable for package installs, commands, troubleshooting, and follow-up guides related to what you just read.

Found this guide useful?

Support LinuxCapable to keep tutorials free and up to date.

Buy me a coffeeBuy me a coffee
Before commenting, please review our Comments Policy.
Formatting tips for your comment

You can use basic HTML to format your comment. Useful tags currently allowed in published comments:

You type Result
<code>command</code> command
<strong>bold</strong> bold
<em>italic</em> italic
<blockquote>quote</blockquote> quote block

Got a Question or Feedback?

We read and reply to every comment - let us know how we can help or improve this guide.

Let us know you are human: