samhain works by generating a database of file signatures, and later comparing file against that database to recognize file modifications and/or added/deleted files.
File signatures include:
a 192-bit cryptographic checksum computed using the TIGER hash algorithm (alternatively SHA-1, MD5, or SHA2-256 can be used),
the inode of the file,
the type of the file,
owner and group,
on Linux only: flags of the ext2 file system (see man chattr ),
the timestamps of the file,
the file size,
the number of hard links,
minor and major device number (devices only)
and the name of the linked file (if the file is a symbolic link).
Depending on the policy chosen for a particular file, only a subset of these may be checked for modifications (see Section 4.1 ), but usually all these informations are collected.