21. Inotify support on Linux (instantaneous reports, no I/O load)

The Linux kernel offers an interface — called inotify— which allows an application to obtain change notifications for files and directories, if the application has registered watches for the files and directories it is interested in.

As of version 3.0, samhain optionally can use the inotify interface. The advantage of this is twofold: First, it is not neccessary to perform regular filesystem scans to detect file changes, i.e. the I/O load is drastically reduced. And second, changes can be reported immediately, thus allowing faster responses.

[Note]Please note

Your system may be configured with a too low default for the maximum inotify watches per user. You can see the default with:

cat /proc/sys/fs/inotify/max_user_watches

You can change the default temporarily (i.e. until reboot) with:

echo 1048576 /proc/sys/fs/inotify/max_user_watches

You can change the default permanently by placing the following line in /etc/sysctl.conf(this will take effect at the next reboot):


Alternatively, samhain can be configured to reset the value by itself on startup (see example configuration below).

[Note]Full scans

(1) On startup, samhain will perform a full scan, first to set the inotify watches, and second to recover changes that happened after initialisation of the baseline database, but before starting the file check.

(2) The kernel will queue inotify events. If the queue overflows because there are too many events in too short a time, the application will be notified. In this case, samhain will automatically trigger a full scan to recover lost file system changes.

(3) Finally, even if inotify is enabled, samhain will still honour the configured intervals or schedules for full scans. If you want to rely only on inotify, you may want to configure a very large interval for filesystem checks, e.g. 'SetFilecheckTime = 315360000' (10 years).

Note that currently, directories specified via wildcard patterns can only be detected in a full scan if they appear newly in the filesystem (unless of course the parent directory is monitored anyway). Wildcard patterns for files are checked every 10 seconds.

21.1. Example configuration

	  # Activate (default is off)
	  InotifyActive = yes
	  # Optionally set the maximum number of watches allowed per user.
	  # (default is leave as is). To see the default, use:
	  # cat /proc/sys/fs/inotify/max_user_watches
	  InotifyWatches = 1048576