samhain works by comparing the present state of the filesystem agains a baseline database. Of course, this baseline database must be initialized first (and preferably from a known good state !). To perform the initialization (i.e. create the baseline database), type:
sh$
samhain -t init -p info
(with -p info, messages of severity 'info' or higher will be printed to your terminal/console).
If the database file already exists, samhain -t init will append to it. This is a feature that is intended to help you operating samhain in a slightly more stealthy way: you can append the database e.g. to a JPEG picture (and the picture will still display normally - JPEG ignores appended 'garbage').
Note: | |
---|---|
It is usually an error to run samhain -t init twice, because (a) it will append a second baseline database to the existing one, and (b) only the first baseline database will be used. Use samhain -t update for updating the baseline database. Delete or rename the baseline database file if you really want to run samhain -t init a second time. |