Tripwire policy suggestions
Solution 1:
I think your assumptions are okay.
There is nothing interesting in proc to watch for, and they change every time. /dev is also a good question. I used to have that line, but now with udev I am not so sure.
You still have this line, do you?
/var -> $(SEC_INVARIANT) (recurse = 0) ;
My real problem with tripwire is, that it requires regular attention to keep it up-to-date. When I had the time it worked great, but not anymore.
Maybe it is worth to take a look at Samhain. It only reports once then learns the changes. It has other great features (maybe I will extend this later).
Solution 2:
You know that tripwire open source is outdated and not supported anymore? Plus, its configuration is a pain and it has no centralized support.
The recommended integrity monitors that are open source, with centralized support and actively maintained are:
-OSSEC - https://ossec.github.io/
-Samhain - http://www.la-samhna.de/samhain/
-Osiris - http://osiris.shmoo.com/
I am specially a fan of OSSEC, which is the simplest,easiest to use... But try them all and see if you like.