The database file is named
samhain_file
by default,
and placed into
/usr/local/var/lib/samhain
by default (name and
location can be configured at compile time).
The database is a binary file. For security reasons, it is recommended to store a backup copy of the database on read-only media, otherwise you will not be able to recognize file modifications after its deletion (by accident or by some malicious person).
samhain will compute the checksum of the database at startup and verify it at each access. samhain will first open() the database, compute the checksum, rewind the file, and then read it. Thus it is not possible to modify the file between checksumming and reading.