The
samhain daemon only
reads the file signature database on startup (also see
Section 4.4 on this). You can update the
database while the daemon is running, as long as you don't
interfere with its logging (i.e. you should run
samhain -t update -l
none to make sure the log file is not accessed).
Interactive updates are supported with the command line flag
--interactive , updates
using a list of 'good' files are supported with the command
line flag
--listfile=
path_to_listfile , where
path_to_listfile should be the absolute
path to a text file listing the 'good' files (absolute paths,
one per line).
If you are using samhain in client/server mode and keep the baseline database on the server, then there are two ways to update the database:
The preferred method is to use the web-based (PHP4) beltane frontend, which allows to review client messages and to perform server-side updates of baseline databases.
Temporarily scp the baseline database to the client, run samhain -t update , and scp the baseline database back to the server. If you want to keep the client daemon running during the update, you need to avoid concurrent access to the log file (use '-l none' for the update process). Also, you need to avoid concurrent access to the server (use '-e none' for the update process).
If you must access the server concurrently (e.g. to download the configuration file for the update process), you need to suspend the client daemon process temporarily using SIGUSR2 (note that SIGSTOP/SIGCONT will not do what you want, because the daemon must inform the server that it is about to suspend). Use SIGUSR2 again to wake up the daemon from suspend mode.