Samhain -- how to stop it reading the entire database into memory?

uz flag

We have seriously limited resources and Samhain seems to be the solution that responds to limiting resources like CPU etc most robustly for file integrity monitoring.

The target environment is an on-prem k8s deployment where we are interested in monitoring OS and configuration files on the node for security compliance.

There is around 50MB for the FIM solution, which would probably be deployed in a Daemonset across all nodes on the installation.

The issue that we have is that Samhain reads in the entire database into memory on scan, so for 500k files it sits there with around 500MB of memory, which we cannot accommodate in the target environment. We can however allow significantly impaired performance for scanning if we can get Samhain to read from a database each time and not load it into memory. However we have tried a few things and failed to do this (including some hacking of the code).

Has anybody done this successfully? (And can you share the solution)

To avoid the x-y problem if someone has a solution that accommodates FIM for resource strapped hardware that would be great.

Saxtheowl avatar
by flag
One lightweight alternative is AIDE (Advanced Intrusion Detection Environment)
John Mahowald avatar
cn flag
Please edit your question to add more details. More about these files: where do they come from, what threats could change them, other ways you could verify their integrity like comparing to backup archives or checksums via package manager, why so many files. Operating system distro and version of managed hosts and central server. Have you explored immutable volumes, making unchanging storage read only. How much throwing memory at the problem costs, and why not do that. Have you experimented with fewer files, does resource use decrease. What does "hacking of the code" mean.
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.