This is a bare-bones tutorial for installing Tripwire on the macOS. It is assumed that the person using this tutorial knows UNIX, the bash shell, how to unzip files and how to compile software. It is also assumed XCode is already installed and that you are the administrator with sudo privileges. If you don’t understand the preceding words, DON’T ATTEMPT THIS! STOP HERE!

Download from https://github.com/Tripwire/tripwire-open-source

Compilation

unzip tripwire-open-source-master.zip
cd tripwire-open-source-master
sudo ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/tripwire --mandir=/usr/local/share 
sudo make
sudo make install

Set passwords for key files:
If you didn’t set passwords during the make install step or forgot the password you set, you can still set them in this step.

sudo /usr/local/sbin/twadmin --generate-keys -L /usr/local/etc/tripwire/${HOSTNAME}-local.key
sudo /usr/local/sbin/twadmin --generate-keys -S /usr/local/etc/tripwire/site.key

Write policy file:

Download this sample policy file here. Modify it as needed. If you have users on other drives you will need to uncomment the line “/Volumes/ExtraDrive/Users” and change the drive name to your specific drive.

sudo  mkdir /etc/tripwire; sudo cp /usr/local/etc/tripwire/* /etc/tripwire
sudo /usr/local/sbin/twadmin --create-cfgfile -S /usr/local/etc/tripwire/site.key /usr/local/etc/tripwire/twcfg.txt
sudo /usr/local/sbin/twadmin --create-polfile -S /usr/local/etc/tripwire/site.key /usr/local/etc/tripwire/twpol.txt

Initialize database

sudo /usr/local/sbin/tripwire --init

Hourly check up as root: crontab -e

00 * * * * /usr/local/sbin/tripwire --check

OR

00 * * * * /usr/local/sbin/tripwire --check | mail -s "Tripwire report for `uname -n` `date`" user@email.com

Tripwire update database

sudo /usr/local/sbin/tripwire --update --twrfile /usr/local/lib/tripwire/report/{$HOSTNAME}-local.twr