Chapter 5. Configuring samhain, the host integrity monitor

The samhain file monitor checks the integrity of files by comparing them against a database of file signatures, and notify the user of inconsistencies. The level of logging is configurable, and several logging facilities are provided.

samhain can be used as a client that forwards messages to the server part (yule) of the samhain system, or as a standalone program (for single hosts).

samhain can be run as a background process (i.e. a daemon), or it can be started at regular intervals by cron.

TipTip
 

It is recommended to run samhain as daemon, because

  • samhain can remember file changes, thus while running as a a daemon, it will not bother you with repetitive messages about the same problem, and

  • using cron opens up a security hole, because between consecutive invocations the executable could get modified or replaced by a rogue program.

5.1. Usage overview

To use samhain, the following steps must be followed:

  1. The configuration file must be prepared (Section 5.4>, Section 4.1>, and Section 5.11> for details).

    • All files and directories that you want to monitor must be listed. Wildcard patterns are supported.

    • The policies for monitoring them (i.e. which modifications are allowed and which not) must be chosen.

    • Optionally, the severity of a policy violation can be selected.

    • The logging facilities must be chosen, and the threshold level of logging should be defined To activate a logging facility, its threshold level must be different from none.

    • Eventually, the address of the e-mail recepient and/or the IP address of the log server must be given.

  2. The database must be initialized. If it already exists, it should be deleted (samhain will not overwrite, but append), or update instead of init should be used:

    samhain -t init|update

  3. Start samhain in check mode. Either select this mode in the configuration file, or use the command line option:

    samhain -t check

    To run samhain as a background process, use the command line option

    samhain -D -t check