For even more stealthyness, it is possible to pack and encrypt the samhain executable. The packer is just moderately effective, but portable. Note that the encryption key of course must be present in the packed executable, thus this is no secure encryption, but rather is intended for obfuscation of the executable. There is a make target for packing the samhain executable:
samhain.pk will unpack into
a temporary file and execute this, passing along all command
line arguments. The temporary file is created in
if the sticky bit is set on this directory, and in
/usr/bin otherwise. The filename is chosen at
random, and the file is only opened if it does not exist
already (otherwise a new random filename will be tried). The
file permission is set to 700.
The directory entry for the unpacked executable will be
deleted after executing it, but on systems with a
/proc filesystem, the deleted entry may show up
there. In particular, this is the case for Linux. You should
be aware that this may raise suspicion.
On Linux, the
/proc filesystem is used to call the unpacked
executable without a race condition, by executing
NN is the file descriptor to which the unpacked executable
has been written. On other systems, the filename of the
unpacked executable must be used, which creates a race
condition (the file may be modified between creation and
The packed executable will not honour the SUID bit.