Hi Mathias, I've installed tripwire from the SuSE RPM and it came with the configuration below which I think is quite reasonable. It watches all filesystems (/ R) and excludes only areas where changing files are quite normal. However for a no-luser machine like a firewall you probably can remove the exclusion of: /home /dev /etc/mtab You may just comment it out and see if it gives you false alarms. Please note that with this configuration you will encounter alarms triggered by /etc changing mtime and ctime - that's completely ok, because some daemons shuffle files around in /etc regularly. Regards, Matthias # # Tripwire config-file # / R !/proc !/var !/root /root/bin !/dev !/tmp !/etc/mtab !/etc/ntp.drift !/etc/ld.so.cache !/etc/snmpd.agentinfo !/etc/ssh_random_seed !/etc/mail/sendmail.st !/home