verify that you haven't already installed tripwire
#rpm -qa | grep tripwire

If it is not installed get it from your cd or download from your favorite redhat mirror.

install the tripwire rpm
rpm -ivh tripwire-XXX.rpm

configure tripwire
/etc/tripwire/twinstall.sh

insert pass phrases when asked and make a note of them as you will need them in the future.

initialize the tripwire database
#tripwire --init

check your tripwire database
#tripwire --check

run a report and pipe the output to less so you can compare items in the twpol.txt file and comment out unwanted
entries to clean up report output

#twprint -m r --twrfile /var/lib/tripwire/report/SERVER.NAME-XXXXXXXX-XXXXXX.twr | less

Scroll through the output of the report and in another terminal edit /etc/tripwire/twpol.txt. Comment out any items that show up as "No such file or Directory".

change the server name from "localhost" to your server name.

add the emalto directive to your rule directives so it looks like below example.

(
rulename = "rulename goes here",
severity = $(SIG_HI),
emailto = user@servername.com
)

now that you have customized your twpol.txt file based on the report that you printed to screen, reinstall the policy file
#/etc/tripwire/twinstall.sh
reinitialize the database
#tripwire --init
check again
#tripwire --check
optionally you can run a check and verify that tripwire will email the report to the email address that you specified
#tripwire --check --email-report

if you didn't get it perfect repeat until running "tripwire --check" gives a nice clean report without listing lots of files that don't exist

now automate it to run daily and send an email to the address you specified in the twpol.txt file
By default there is a script in /etc/crond.daily called tripwire-check, it will run daily on it's own. I like to specify the exact time it runs and change the script to send me an email.

to manually configure the time to run your script
move the script to another directory
# /mv/etc/cron.daily/tripwire-check /scriptfoldername/tripwire-check

now edit your crontab
# crontab -e

this will open your crontab in your default editor "vi".
add this entry to run tripwire at 6:00 am every day

00 06 * * * /scriptfoldername/tripwire-check

save and exit

To set up the nightly check so it will send an email to the user(s) specified in the "emailto =" directive under each rulename directive modify the "tripwire-check" script line that looks like this:

test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check

and add --email-report to the end, like this

test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check --email-report

You can test the scripts email functionality by manually running the script or setting your
crontab to run it a few minutes in the future to verify that all is working.

now you are set to run tripwire automatically and get the results emailed to you daily.

you now need to clean up a bit.
remove /etc/tripwire *.txt. The .txt files are used to create encrypted files that tripwire uses to run. They are only needed for your initial setup. If you like, burn a copy of them to cd rom, but definitely remove them from the system as they show in clear text how tripwire was configured. I would also chmod any directory that runs scripts as root so that only root has access to the
directory and files in question.

If you want to verify that tripwire is actually working
touch a key file, like /boot/boot.b
# touch /boot/boot.b

run tripwire check
$tripwire --check

you should see that tripwire will notify you that /boot/boot.b has been modified. Now if you want to get the warning from /boot/boot.b being modified to not show up on all subsequent reports read the tripwire guide that came with your redhat doc cd.

reference: man tripwire, redhat documentation cd installing tripwire section
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-tripwire.html