3. File signatures

samhain works by generating a database of file signatures, and later comparing file against that database to recognize file modifications and/or added/deleted files.

File signatures include:

  • a 192-bit cryptographic checksum computed using the TIGER hash algorithm (alternatively SHA-1, MD5, or SHA2-256 can be used),

  • the inode of the file,

  • the type of the file,

  • owner and group,

  • access permissions,

  • on Linux only: flags of the ext2 file system (see man chattr ),

  • the timestamps of the file,

  • the file size,

  • the number of hard links,

  • minor and major device number (devices only)

  • and the name of the linked file (if the file is a symbolic link).

Depending on the policy chosen for a particular file, only a subset of these may be checked for modifications (see Section 4.1 ), but usually all these informations are collected.