If file attributes change, the corresponding TSD entries must be updated accordingly. Attributes such as owner, group, mode, and others can be changed in a TSD entries. Other attributes, such as hash_value, cert_tag, or signature, cannot be changed. In this case, the TSD entry must be removed and recreated.

However, before changing an attribute of a TSD entry, you should ensure that the new value of the attribute is correct and not the result of an attacker’s change or an unintentional change. If you simply adopt changed attributes without verification, integrity monitoring makes little sense. Changes made by attackers will then simply be incorporated into the TSD as the new target state.

As an example, we created a TSD entry for the volatile file /opt/pwrcmps/etc/config in Files with frequently changing (volatile) Content. The file currently has the following permissions:

# ls -l /opt/pwrcmps/etc/config
-rw-r--r--    1 root     system           20 Mar 22 17:53 /opt/pwrcmps/etc/config
# 

However, the configuration file actually needs only be readable by the root user and the system group. Read permissions for everyone else aren’t necessary. To increase security, we’ll remove read permissions for others:

# chmod o-r /opt/pwrcmps/etc/config
# 

However, during a system audit, the changed permissions are now being warned about, as the TSD entry still contains the read permission for others:

# trustchk -n /opt/pwrcmps/etc/config
trustchk: /opt/pwrcmps/etc/config: Verification of attributes failed: mode
# 

In this case, changing the mode attribute is acceptable. To make the change, use the “-u” (update) option as follows:

# trustchk -u /opt/pwrcmps/etc/config mode=640
# 

Note: Multiple attributes can be specified.

Now, the permissions of the file and the mode attribute in the TSD entry match again.