For even more stealthyness, it is possible to pack and encrypt the samhain executable. The packer is just moderately effective, but portable. Note that the encryption key of course must be present in the packed executable, thus this is no secure encryption, but rather is intended for obfuscation of the executable. There is a make target for packing the samhain executable:
make samhain.pk
On execution, 
      samhain.pk will unpack into
      a temporary file and execute this, passing along all command
      line arguments. The temporary file is created in 
      /tmp,
      if the sticky bit is set on this directory, and in 
      
      /usr/bin otherwise. The filename is chosen at
      random, and the file is only opened if it does not exist
      already (otherwise a new random filename will be tried). The
      file permission is set to 700.
The directory entry for the unpacked executable will be
      deleted after executing it, but on systems with a 
      
      /proc filesystem, the deleted entry may show up
      there. In particular, this is the case for Linux. You should
      be aware that this may raise suspicion.
On Linux, the 
      
      /proc filesystem is used to call the unpacked
      executable without a race condition, by executing 
      /proc/self/fd/NN, where
      NN is the file descriptor to which the unpacked executable
      has been written. On other systems, the filename of the
      unpacked executable must be used, which creates a race
      condition (the file may be modified between creation and
      execution).
The packed executable will not honour the SUID bit.