The --verify-database requires that the
policy under which a file is checked is stored in the baseline
database. (Note that this affects only this command.
For the normal file system monitoring,
the checking policy is taken from the configuratiion file,
not from the baseline database.)
For this reason, the format of the baseline database
has changed in samhain 4.0. However, it is possible that
the information about the check policy becomes incorrect:
- Added files
-
If files are added to the filesystem after baseline
initialisation and reported by the client, the correct
policy should be set. To ensure this, the option
ReportCheckflags = yes should be set
in the client configuration (for backward compatibility,
this option is off by default.)
- Merging a DeltaDB
-
The DeltaDB is generated with the policy set to
ReadOnly, to collect a complete set
of checksum and metadata. However, if the actual policy
should be less restrictive because some of that data
is allowed to change, a later --verify-database
may result in spurious failures.
- Client configuration change
-
If the configuration file for the client is changed
to alter the checking policy for the monitored files,
it is recommended to re-initialize the baseline.
[an error occurred while processing this directive]