It creates a baseline database in the location specified by the DBFILE variable in the Tripwire configuration file. The database is essentially a snapshot of the objects residing on the system. During later Tripwire integrity checks, this database serves as the basis for comparison.

When run in Database Initialization mode, tripwire reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database.

After building the Tripwire database, the next step is typically to run tripwire in Integrity Checking mode. This mode scans the system for violations, as specified in the policy file. Using the policy file rules, Tripwire will compare the state of the current file system against the initial baseline database. An integrity checking report is printed to stdout and is saved in the location specified by the REPORTFILE setting in the Tripwire configuration file.

The generated report describes each policy file violation in detail, depending on whether the specified file system object was added, deleted, or changed.

Running tripwire in Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violation from showing up in future reports.