Yesterday I added a hard drive to my computer, and this morning I came in to find that *every* file's device number had changed. Tripwire of course dutifully reported this in a huge 64MB report email.
How would I prevent this from happening again, the next time I add or remove a hard drive? Force a database init? That would cause me to lose info about any changes that were made before the update.
The only way to keep this from happening is to prevent Tripwire from recording the Device ID for each file in the policy. This is the 'd' attribute, and there are two ways to make this change universal:
1) add a '-d' to the end of every appropriate rule in the policy, e.g.:
/etc -> $(SEC_BIN) -d ;
2) modify the $(SEC_BIN/CRIT/CONFIG/etc) variable definitions to include the -d attribute. This way, all rules using these variables will inherit the new definition:
SEC_CRIT = $(IgnoreNone)-SHad ;
The 2nd option is best, but it assumes that all rules in your policy make use of these variables. If you've gone off on your own, you'll have to modify those rules directly.
Let me know if this works for you-