Projects / samhain


samhain is a daemon that can check file integrity, search the file tree for SUID files, and detect kernel module rootkits (Linux only). It can be used either standalone or as a client/server system for centralized monitoring, with strong (192-bit AES) encryption for client/server connections and the option to store databases and configuration files on the server. For tamper resistance, it supports signed database/configuration files and signed reports/audit logs. It has been tested on Linux, FreeBSD, Solaris, AIX, HP-UX, and Unixware.

Operating Systems

Recent releases

  •  15 May 2014 19:28

    Release Notes: All-numeric hostnames are correctly recognized now, and inline asm has been disabled on Cygwin/Windows.

    •  06 Dec 2013 19:37

      Release Notes: Support for sha2-256 has been added and some bugs have been fixed.

      •  19 Jun 2013 18:26

        Release Notes: A regression in the handling of growing log files has been fixed. For compiling with the kernel check option, the detection of an existing yet non-functional /dev/kmem device has been improved.

        •  17 Apr 2013 21:32

          Release Notes: Log rotation can be handled more gracefully now. An option to ignore modifications of transient files during their lifetime has been added, and it is possible now to build a Debian client package with a preset password. A problem with large groups has been fixed, as well as reconnecting to a temporarily unavailable Oracle database.

          •  19 Jan 2013 07:55

            Release Notes: This release fixes a regression that made samhain block indefinitely if the inotify mode for file checking was used.

            Recent comments

            21 Mar 2001 12:59 sk00t

            Samhain rocks da house!!!
            This is bar none *THE* coolest integrity checker out there. I've played with every single one I can find: Tripwire, Sentinel, Aide, FCheck, Viper, etc., etc., and this is the sh*t!


            1. Platform-independent (builds on just about anything)

            2. Small footprint

            3. Fast

            4. Stealth mode (very cool)

            5. Clean code (not somebody's sophomore C project)

            6. Client / server mode (send reports to a central server over a secure channel)

            7. Obscure Glen Danzig reference

            8. Docs that don't suck and an active development community


            Project Spotlight


            A Fluent OpenStack client API for Java.


            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.