The samhain file monitor checks the integrity of files by comparing them against a database of file signatures, and notify the user of inconsistencies. The level of logging is configurable, and several logging facilities are provided.
samhain can be used as a client that forwards messages to the server part (yule) of the samhain system, or as a standalone program (for single hosts).
samhain can be run as a background process (i.e. a daemon), or it can be started at regular intervals by cron.
It is recommended to run samhain as daemon, because
To use samhain, the following steps must be followed:
All files and directories that you want to monitor must be listed. Wildcard patterns are supported.
The policies for monitoring them (i.e. which modifications are allowed and which not) must be chosen.
Optionally, the severity of a policy violation can be selected.
The logging facilities must be chosen, and the threshold level of logging should be defined To activate a logging facility, its threshold level must be different from none.
Eventually, the address of the e-mail recepient and/or the IP address of the log server must be given.
The database must be initialized. If it already exists, it should be deleted (samhain will not overwrite, but append), or update instead of init should be used:
samhain -t init|update
Start samhain in check mode. Either select this mode in the configuration file, or use the command line option:
samhain -t check
To run samhain as a background process, use the command line option
samhain -D -t check