The Linux kernel offers an interface — called inotify— which allows an application to obtain change notifications for files and directories, if the application has registered watches for the files and directories it is interested in.
As of version 3.0, samhain optionally can use the inotify interface. The advantage of this is twofold: First, it is not neccessary to perform regular filesystem scans to detect file changes, i.e. the I/O load is drastically reduced. And second, changes can be reported immediately, thus allowing faster responses.
Your system may be configured with a too low default for the maximum inotify watches per user. You can see the default with:
You can change the default temporarily (i.e. until reboot) with:
echo 1048576 /proc/sys/fs/inotify/max_user_watches
You can change the default permanently by placing the
following line in
Alternatively, samhain can be configured to reset the value by itself on startup (see example configuration below).
(1) On startup, samhain will perform a full scan, first to set the inotify watches, and second to recover changes that happened after initialisation of the baseline database, but before starting the file check.
(2) The kernel will queue inotify events. If the queue overflows because there are too many events in too short a time, the application will be notified. In this case, samhain will automatically trigger a full scan to recover lost file system changes.
(3) Finally, even if inotify is enabled, samhain will still honour the configured intervals or schedules for full scans. If you want to rely only on inotify, you may want to configure a very large interval for filesystem checks, e.g. 'SetFilecheckTime = 315360000' (10 years).
Note that currently, directories specified via wildcard patterns can only be detected in a full scan if they appear newly in the filesystem (unless of course the parent directory is monitored anyway). Wildcard patterns for files are checked every 10 seconds.