4. Signals

On startup, all signals will be reset to their default. Then a signal handler will be installed for all signals that (i) can be trapped by a process and (ii) whose default action would be to stop, abort, or terminate the process, to allow for graceful termination.

For SIGSEGV, SIGILL, SIGBUS, and SIGFPE, a 'fast' termination will occur, with only minimal cleanup that may result in a stale pid file being left.

If the operating system supports the siginfo_t parameter for the signal handling routine (see man sigaction ), the origin of the signal will be checked.

The following signals can be sent to the process to control it:

  • SIGUSR1 Switch on/off maximally verbose output to the console.

  • SIGUSR2 Suspend/continue the process, and (on suspend) send a message to the server. This message has the same priority as timestamps. This signal allows to run samhain -t init -e none on the client to regenerate the database, with download of the configuration file from the server, while the daemon is suspended (normally you would get errors because of concurrent access to the server by two processes from the same host).

  • SIGTERM Terminate the process.

  • SIGQUIT Terminate the server process after processing all currently pending requests from clients. Terminate the client process after finishing the current task (from the terminal, SIGQUIT usually is Ctrl+\).

  • SIGHUP Re-read the configuration file. Note that it is not possible to override command-line options given at startup.

  • SIGTTIN / SIGABRT Unlock the log file, wait three seconds, then proceed. At the next access, the log file will be locked again and a fresh audit trail -- with a fresh signature key -- will be started. This allows log rotation without splitting an audit trail. See Sect.~ Section 5.1 .

  • SIGTTOU Perform a file check. Only client/standalone, and only in daemon mode.

  • SIGTSTP Perform a silent file check. Only client/standalone, and only in daemon mode. The config file option SetFullSilent (boolean) can be used to switch on/off any informational message (e.g. start/end file check). The result of the file check can still be queried from the message queue via samhain -w For security reasons, silent scans are not taken into consideration for the time till next file check.