Samhain | ||
---|---|---|
<<< Previous | Configuration — samhain, the file monitor | Next >>> |
Almost all time is spent in the checksum algorithm. To improve performance, you can use MD5 instead of TIGER, which will give some 20 per cent improvement (on Linux/i686). To switch to MD5, use the DigestAlgo option in the configuration file:
[Misc] # use MD5 DigestAlgo=MD5 |
Other things you can do are:
Build a static binary (use the --enable-static switch for configure). Static binaries are faster, and also more secure, because they cannot be subverted via libc.
![]() | NOTE |
---|---|
Unfortunately this is not possible on Solaris. This is not a bug in samhain, but is because some functions in Solaris are only supplied by dynamic libraries. |
Change the compiler switches to optimize more aggressively.
If on a commercial UNIX, check whether the native compiler produces faster code (you need an ANSI C compiler). The ./configure script honours CC (compiler) and CFLAGS environment variables.
On the other side, if you want to reduce the load caused by file checking, you can change the scheduling priority (see man nice), and/or limit the I/O:
[Misc] # low priority (positive argument means lower priority) SetNiceLevel=19 # kilobytes per second SetIOLimit=1000 |
Similarly, for the SUID check, you can limit the files per seconds:
[SuidCheck] # limit on files per seconds SuidCheckFps=250 |
<<< Previous | Home | Next >>> |
Modules | Up | yule, the log server |