8. The file signature database

The database file is named samhain_file by default, and placed into /usr/local/var/lib/samhain by default (name and location can be configured at compile time).

The database is a binary file. For security reasons, it is recommended to store a backup copy of the database on read-only media, otherwise you will not be able to recognize file modifications after its deletion (by accident or by some malicious person).

samhain will compute the checksum of the database at startup and verify it at each access. samhain will first open() the database, compute the checksum, rewind the file, and then read it. Thus it is not possible to modify the file between checksumming and reading.