Tripwire policy suggestions

Solution 1:

I think your assumptions are okay.

There is nothing interesting in proc to watch for, and they change every time. /dev is also a good question. I used to have that line, but now with udev I am not so sure.

You still have this line, do you?

/var -> $(SEC_INVARIANT) (recurse = 0) ;

My real problem with tripwire is, that it requires regular attention to keep it up-to-date. When I had the time it worked great, but not anymore.

Maybe it is worth to take a look at Samhain. It only reports once then learns the changes. It has other great features (maybe I will extend this later).

Solution 2:

You know that tripwire open source is outdated and not supported anymore? Plus, its configuration is a pain and it has no centralized support.

The recommended integrity monitors that are open source, with centralized support and actively maintained are:

-OSSEC - https://ossec.github.io/

-Samhain - http://www.la-samhna.de/samhain/

-Osiris - http://osiris.shmoo.com/

I am specially a fan of OSSEC, which is the simplest,easiest to use... But try them all and see if you like.