Specifications
62
do not enable the Kernel Module Verification during the installation, you
have to generate the baseline manually before Integrity Checking is
enabled.
All files that are added to the baseline during the installation are set to
Allow and Alert protection mode.
Passphrase
The generated baseline has to be signed to prevent anyone from
modifying the protected files.
The product verifies the baseline and the system integrity
cryptographically. A cryptographic algorithm is applied to the baseline
contents and the passphrase to generate a signature (a HMAC signature)
of the baselined information.
You should not share the passphrase with other administrators without
fully understanding the consequences. Other administrators could tamper
with the baseline and regenerate it using the same passphrase, and the
subsequent check would appear to be all right.
Command Line
For information how to create and check the system integrity from the
shell, see “fsic”, 73.
IMPORTANT: You must take great care not to forget the
passphrase used as it cannot be recovered and the baseline
cannot be verified against tampering without using the same
passphrase.