I think Tripwire has a major design flaw which is that it
doesn't support non-existent files. By commenting out files
that are not present on the system, the user asks Tripwire
to ignore that file, when it should be asking Tripwire to note
that the file doesn't exist.
All an attacker has to do is find out which files Tripwire isn't
looking for and then use that information to her or her own
advantage. Monitoring directories is a partial solution, but I
think a better solution would be for Tripwire to note that all
of one file's attributes are absent (thus, the file is absent)
when building or updating the database.
In addition, going through the list of errors generated when
Tripwire builds or updates the database and commenting out
the absent files is tedious. I administer several systems, and
I've been copying one configured policy file to several
machines. If there is any file absent on the first machine's
configuration that is present anywhere else, it is much
easier for me to ignore that file than to customise the policy
file for each additional machine.