The SAMHAIN file integrity / intrusion detection system

License

Samhain ("the software") is distributed under the terms of the GNU General Public Licence ("GPL").

Download

Version 3.1.0 samhain-current.tar.gz
MD5 checksum a621678f0e97fec612e63864b4d1e9d2
bytes 2117336
release date Oct 31, 2013
Version 2.8.6 samhain_signed-2.8.6.tar.gz
MD5 checksum d02494e7282809e76b83fa1c2ecb952b
bytes 2075621
release date Sep 20, 2011
mailing list samhain-announce

Unpack and verify

After downloading, unzip the tar file.

    $ gunzip samhain-current.tar.gz
    $ tar -xf samhain-current.tar
    samhain-3.1.0.tar.gz
    samhain-3.1.0.tar.gz.asc
    

Get the samhain development PGP key 1024D/0F571F6C
(almost any keyserver will do if pgp.mit.edu is temporarily unavailable):

    $ gpg --keyserver pgp.mit.edu --recv-key 0F571F6C
    

check the key fingerprint (EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C)

    $ gpg --fingerprint 0F571F6C
    

and verify the PGP signature on the distribution tarball:

 
    $ gpg --verify samhain-3.1.0.tar.gz.asc samhain-3.1.0.tar.gz
    

Unzip the second-stage tar file and cd into the distribution directory:

    $ gunzip samhain-3.1.0.tar.gz
    $ tar -xf samhain-3.1.0.tar
    $ cd samhain-3.1.0
    

Installation

Read the README and/or the manual for options you may want to supply to configure, then do:

    $ ./configure [options]
    $ make
    $ make install
    

(There is also a working make uninstall. Just to let you know.)

If you have an incarnation of 'dialog' (xdialog, dialog, lxdialog) installed, you can alternatively use the GUI install tool:

    $ ./Install.sh
    

After installation, you should first review the configuration file (by default /etc/samhainrc), especially with respect to network addresses such as the email address, and files/directories you may want to have checked. Next, you have to initialize the database:

    $ samhain -t init
    

Then, you can start samhain in daemon mode to check your system in intervals as specified in the configuration file:

    $ samhain -t check -D
    

On most systems, after the $ make install, you can add
$ make install-boot to install the necessary scripts to start up samhain every time you boot your machine (supported: Linux, FreeBSD, MacOS X, Solaris, HP-UX, AIX).

Mailing list

It is recommended that samhain users subscribe to the samhain-announce mailing list. This is a very low traffic mailing list used exclusively for the announcement of new versions of samhain, and for information on security problems (in case any are discovered).