what is the best practice?
Depends on what you want to check. On a stable server I choose for checking stuff that's critical to operation like kernel, modules and maps, systems and local binary dirs, main library dirs, /etc auth db's. I don't run tripwire but Aide, but the principle is the same. Make a rule that scans recursively, then supply that as arg for the dir. Then you don't have to list individual binaries.
|