Table of Contents
- 1. Usage overview
- 2. Available checksum functions
- 3. File signatures
- 4. Defining file check policies: what, and how, to monitor
- 4.1. Monitoring policies
- 4.2. File/directory specification
- 4.3. Suppress messages about new/deleted/modified files
- 4.4. Dynamic database update (modified/disappeared/new files)
- 4.5. Recursion depth(s)
- 4.6. Hardlink check
- 4.7. Check for weird filenames
- 4.8. Support for prelink
- 4.9. SELinux attributes and Posix ACLs
- 4.10. Codes in messages about reported files
- 4.11. Loose directory checking
- 4.12. Storing the full content of a file
- 4.13. Who made changes to a file?
- 4.14. Skip checksumming for particular files
- 4.15. Graceful handling of log rotation
- 4.16. No such user/group
- 5. Excluding files and/or subdirectories (All except...)
- 6. Timing file checks
- 7. Initializing, updating, or checking
- 8. The file signature database
- 9. Checking the file system for SUID/SGID binaries
- 10. Detecting Kernel rootkits
- 11. Monitoring login/logout events
- 12. Checking mounted filesystem policies
- 13. Checking sensitive files owned by users
- 14. Checking for hidden/fake/missing processes
- 15. Checking for open ports
- 16. Logfile monitoring/analysis
- 17. Checking the Windows registry
- 18. Modules
- 19. Performance tuning
- 20. Storing the full content of a file (aka: WHAT has changed?)
- 21. Inotify support on Linux (instantaneous reports, no I/O load)
The samhain file monitor checks the integrity of files by comparing them against a database of file signatures, and notify the user of inconsistencies. The level of logging is configurable, and several logging facilities are provided.
samhain can be used as a client that forwards messages to the server part ( yule ) of the samhain system, or as a standalone program (for single hosts).
samhain can be run as a background process (i.e. a daemon), or it can be started at regular intervals by cron.
It is recommended to run samhain as daemon, because
To use samhain, the following steps must be followed:
All files and directories that you want to monitor must be listed. Wildcard patterns are supported.
The policies for monitoring them (i.e. which modifications are allowed and which not) must be chosen.
Optionally, the severity of a policy violation can be selected.
The logging facilities must be chosen, and the threshold level of logging should be defined To activate a logging facility, its threshold level must be different from none.
Eventually, the address of the e-mail recepient and/or the IP address of the log server must be given.
The database must be initialized. If it already exists, it should be deleted ( samhain will not overwrite, but append), or update instead of init should be used:
Start samhain in check mode. Either select this mode in the configuration file, or use the command line option:
To run samhain as a background process, use the command line option
samhain -D -t