| The Samhain Host Integrity Monitoring System | ||
|---|---|---|
| Prev | Chapter 5. Configuring samhain, the host integrity monitor | Next | 
In the Misc section of the configuration file, you can set the interval (in seconds) between succesive file checks:
SetFilecheckTime=value
Alternatively, you can specify a crontab-like schedule with:
FileCheckScheduleOne=schedule
The schedule follows the same rules as crontab(5) entries, with two noteable exceptions: (a) lists are not allowed, and (b) ranges of names (like Mon-Fri) are allowed. See man 5 crontab for details. You can specify a list of schedules, with separate FileCheckScheduleOne=… directives on separate lines.
|  | Note | 
|---|---|
| If you need a list in your schedule, you can either use steps (like */2 for 'every two minutes/hours/...), or you can specify a list of schedules, with separate FileCheckScheduleOne=… directives on separate lines. | 
If you want to check some files rather often, while doing a more extensive check only sometimes, this is supported as follows:
Enclose all directories for the more extensive check in a %SCHEDULE_TWO ... !%SCHEDULE_TWO block like:
%SCHEDULE_TWO dir=/check/only/once/per/day !%SCHEDULE_TWO
Define an optional second schedule as follows (similar to FileCheckSchedule, you can specify a list of schedules):
FileCheckScheduleTwo=schedule2
Rules:
All files and directories will always be checked at FileCheckScheduleTwo.
All single files (file=…) will always be checked at both FileCheckScheduleOne and FileCheckScheduleTwo (rationale: this is required to check for missing/added files in directories).
All directories outside the %SCHEDULE_TWO block will be checked at both FileCheckScheduleOne and FileCheckScheduleTwo.
All directories inside the %SCHEDULE_TWO block will be checked at FileCheckScheduleTwo only.