F-SECURE LINUX SECURITY Manual page 178

denied if file does not match with baselined information. '.' on either P or R column
means that Protection or Reporting respectively is not enabled.
If a change is detected against the baseline, it is reported as follows
[Note] .RA /bin/ls Hash does not match baselined hash
[Note] .RA /bin/ls inode information does not match base-
lined data
So even if inode data is changed Hash might be same (touch on a file will change
inode data) however IF hash is changed and inode data is still same then file contents
has been modified and it's mtime set back to what it was with utime() (man 2 utime).
If --show-details is specified, then deviations against baseline are reported as follows
[Note] ( RA) /bin/ls Hash does not match baselined hash
[Note] ( RA) /bin/ls inode information does not match
baselined data
Old
e2c2f03d5460690211fa497592543371
Now
08c4eae2cf02c4214ba48cb89197aa66
If no deviations are found and --show-all is also specified then following will be
reported
[ OK ] ( RA) /bin/ls (81ed:0:0:620676:1077202297)
baseline action reports
mode:uid:gid:len:mtime
81ed:0:0:31936:1096007887
81ed:0:0:31940:1096388689
CHAPTER G G - 59
hash