← 返回命令列表

Linux command

samhain 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

Initialize the file integrity database

samhain -t init

Check files against the baseline database

samhain -t check

Run as a daemon

samhain -D

Check configuration file syntax

samhain -t check --verify-config

Update the database

samhain -t update

Run in foreground

samhain -t check --foreground -p info

说明

Samhain is a host-based intrusion detection system (HIDS) that provides file integrity monitoring, log file analysis, and rootkit detection. It tracks checksums, permissions, timestamps, and attributes of critical system files to detect unauthorized modifications. The system operates in three modes: init creates a baseline database, check compares current file states against the baseline, and update refreshes the database. Samhain can detect hidden processes, rogue SUID executables, and kernel-level compromises. For multi-host environments, Samhain uses a client-server architecture where yule serves as the central log server and configuration host. Configuration is stored in /etc/samhainrc.

参数

-t _action_
Specify action: init (create baseline), check (verify against baseline), update (refresh database)
-D
Run as a daemon process
--foreground
Run in foreground, do not fork
-c _file_
Use alternate configuration file (default: /etc/samhainrc)
-p _priority_
Set logging priority: debug, info, notice, warn, err, crit
--verify-config
Check configuration file syntax and exit
-l _file_
Specify log file path
-e _file_
Specify database file path

FAQ

What is the samhain command used for?

Samhain is a host-based intrusion detection system (HIDS) that provides file integrity monitoring, log file analysis, and rootkit detection. It tracks checksums, permissions, timestamps, and attributes of critical system files to detect unauthorized modifications. The system operates in three modes: init creates a baseline database, check compares current file states against the baseline, and update refreshes the database. Samhain can detect hidden processes, rogue SUID executables, and kernel-level compromises. For multi-host environments, Samhain uses a client-server architecture where yule serves as the central log server and configuration host. Configuration is stored in /etc/samhainrc.

How do I run a basic samhain example?

Run `samhain -t init` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -t _action_ do in samhain?

Specify action: init (create baseline), check (verify against baseline), update (refresh database)