10. Files and directory layout


samhain has its own set of trusted users. Paths to critical files (e.g. the configuration file) must be writeable by trusted users only. Failure to ensure this (e.g. by compiling in an appropriate set of trusted users) is one of the most frequent reasons for problems. See below for details.

10.1. Trusted users and trusted paths

  • Trusted users are root and the effective user of the process (usually, the effective user will be root herself). Additional trusted users can be defined in the configuration file (see Sect. Section 5 for an example), or at compile time, with the option

                  bash$ ./configure --with-trusted=0,...
  • A trusted path is a path with all elements writeable only by trusted users. samhain requires the paths to the configuration and log file to be trusted paths, as well as the path to the pid file.

If a path element is group writeable, all group members must be trusted. If the path to the configuration file itself is writeable by other users than root and the effective user these must be defined as trusted already at compile time.


The list of group members in /etc/group may be incomplete or even empty. samhain will check /etc/passwd(where each user has a GID field) in addition to /etc/group to find all members of a group.

10.2. Directory layout

samhain conforms to the FHS, which mandates a directory layout that is different from the default GNU layout (everything in subdirectories under /etc/local).


There is an option ./configure --enable-install-name= NAME . When this option is used, not only the executable is installed as NAME, but also in all the paths, samhain is replaced with NAME.


For the yule server, replace samhain with yule in the paths explained below.

The following table explains which directory layout results from ./configure --prefix= PREFIX

PREFIXUSR (all capital)  
PREFIXOPT (all capital)  

The file signature database will be written to localstatedir/lib/samhain/samhain_file, the pid file to localstatedir/run/samhain.pid, and the log file to localstatedir/log/samhain_log. In addition, yule writes an HTML status file to localstatedir/log/yule/yule.html

To get a more fine-grained control on the layout, the following configure options are provided

  • --with-config-file=FILE — The path of the configuration file.

  • --with-log-file=FILE — The path of the log file.

  • --with-pid-file=FILE — The path of the pid file.

  • --with-data-file=FILE — The path of the file signature database file.

  • --with-html-file=FILE — The path of the HTML status file (server only).

10.3. Runtime files

10.3.1. Standalone or client

Logfiles localstatedir/log/
Data files localstatedir/lib/samhain/
Pid file localstatedir/run/

10.3.2. Server


The server will drop root privileges after startup. I does not need write access to the data files, thus the data file directory is chmod 555 on installation. It does need write access to the log file directory. As the system logfile directory usually is owned by root, the install script will by default create a subdirectory and chown it to the unprivileged yule user. The PID file is written before dropping root.

Logfiles localstatedir/log/yule/
Data files localstatedir/lib/yule/
Pid file localstatedir/run/

10.4. Installed files

10.4.1. Standalone or client

FileInstalled toMode
samhain sbindir/samhain700
samhainrc sysconfdir/samhainrc600
samhain.8 mandir/man8/samhain.8644
samhainrc.5 mandir/man5/samhainrc.5644
(samhain_setpwd) sbindir/samhain_setpwd700
(samhain_stealth) sbindir/samhain_stealth700

10.4.2. Server

FileInstalled toMode
yule sbindir/yule700
yulectl sbindir/yulectl700
yulerc sysconfdir/yulerc600
samhain.8 mandir/man8/yule.8644
samhainrc.5 mandir/man5/yulerc.5644
samhain_setpwd sbindir/yule_setpwd700