I installed Tripwire on a few servers many years ago, and started out with the default policy file supplied by the distro. There were a huge number of references to files that didn't exist (because the relevant packages weren't installed), a lot of files that I thought should be included but weren't; and no doubt a lot of files that should have been included which I didn't think about. In summary, it was a painful experience, and I don't think I got the best out of it.
It's that time of the decade when shiny new servers turn up in the mail, and I intend to do things better this time. So, I did this:
Strict = $(IgnoreNone) -ar;
!/home;
!/proc;
!/run;
!/sys;
!/tmp;
/ -> $(Strict) (recurse=true);
/boot -> $(Strict) (recurse=true);
/boot/efi -> $(Strict) (recurse=true);
/dev -> $(Device) (recurse=true);
/dev/hugepages -> $(Device) (recurse=true);
/dev/mqueue -> $(Device) (recurse=true);
/dev/pts -> $(Device) (recurse=true);
/dev/shm -> $(Device) (recurse=true);
/var/lib/tripwire/$(HOSTNAME).twd -> $(Dynamic) -i;
/var/lib/tripwire/report -> $(Dynamic) (recurse=0);
/var/log -> $(Growing) -i (recurse=true);
My expectation is that over the next few days/weeks, I'll probably end up with plenty of alerts for completely innocent changes, but I can then review those and modify the policy file as appropriate. Fairly soon I should end up with a sensible policy.
Am I completely insane, or is this a reasonable place to start?
