The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. samhain is a file and host integrity and intrusion alert system suitable for single hosts as well as for large, UNIX-based networks. It offers advanced features to support and facilitate centralized monitoring. In particular, samhain can optionally be used as a client/server system with monitoring clients on individual hosts, and a central log server that collects the messages of all clients.
The configuration and database files for each client can be stored centrally and downloaded by clients from the log server. Using conditionals (based on hostname, machine type, OS, and OS release, all with regular expresions) a single configuration file for all hosts on the network can be constructed.
Samhain has been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance , although it can also be used as standalone application on a single host.
The client (or standalone) part is called samhain, while the server is referred to as yule. Both can run as daemon processes.
Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).
You will need all the required build tools installed as we are going to compile Samhain
apt-get install build-essential
Here is a short check list to follow: