samhain

Initialize the file integrity database

$ samhain -t init

$ samhain -t check

$ samhain -D

$ samhain -t check --verify-config

$ samhain -t update

$ samhain -t check --foreground -p info

samhain [-t init|check|update] [-D] [-p priority] [--foreground] [-c configfile]

Samhain is a host-based intrusion detection system (HIDS) that provides file integrity monitoring, log file analysis, and rootkit detection. It tracks checksums, permissions, timestamps, and attributes of critical system files to detect unauthorized modifications.
The system operates in three modes: init creates a baseline database, check compares current file states against the baseline, and update refreshes the database. Samhain can detect hidden processes, rogue SUID executables, and kernel-level compromises.
For multi-host environments, Samhain uses a client-server architecture where yule serves as the central log server and configuration host. Configuration is stored in /etc/samhainrc.

-t action

Specify action: init (create baseline), check (verify against baseline), update (refresh database)

Run as a daemon process

Run in foreground, do not fork

Use alternate configuration file (default: /etc/samhainrc)

Set logging priority: debug, info, notice, warn, err, crit

Check configuration file syntax and exit

Specify log file path

Specify database file path

The baseline database should be created from a known-clean system state and stored securely (ideally read-only media). When compiled with stealth options, help files and man pages may be unavailable to hide HIDS presence from attackers.

Samhain was developed by Rainer Wichmann and first released in 1999. Named after the Celtic festival marking the end of harvest, it evolved from a simple file integrity checker into a comprehensive HIDS supporting centralized monitoring across heterogeneous environments.

aide(1), tripwire(8), rkhunter(1), chkrootkit(1)