README.SLACKWARE for samhain Edit the /etc/samhainrc file for your needs. I suggest at least these changes, but there may be others for your particular system: Comment out these lines: #file = /var/lib/rpm/__db.00? #file = /var/log/*.[0-9].gz #file = /var/log/*/*.[0-9][0-9].gz I don't like Daemon mode so I switched it off, as I run in cron.daily: # Daemon = yes Daemon = no I like to see the problems again and again in case I miss a report for some reason: ReportOnlyOnce = False Set a *real* email address here and uncomment so you get problems mailed to you when you run Samhain. It is best to use another server that handles email to make sure it doesn't get tampered with if there really is an intrusion: SetMailAddress=root@localhost I have sendmail set up (don't you?) on my system, so I use localhost for the relay: SetMailRelay = localhost And it's a good idea to put a nice subject header in your emailed reports: MailSubject = Samhain Report - myhostname Initialize the database as root. Note that this takes a while and always runs in daemon mode regardless of your configuration! samhain -t init If you want to run nightly checks, drop a script in cron.daily with something like this in it: #!/bin/sh /usr/sbin/samhain -t check You're done. It is a little work, but now you have daily integrity checks emailed to you about what's going on in your system, especially for things you did not do! And as Pat would say... Have Fun! --Richard Scott Smith