function::user_int_warn - Linux


function::user_int_warn monitors user-defined integrity signals, which can be generated by other processes or applications, and raises a warning when a new signal is detected. It is primarily used by system administrators and developers to detect integrity violations and potential security issues.


function::user_int_warn [OPTIONS] SIGNAL [SIGNAL...]


  • -s, –signal-file: Specify a file path to store the integrity signals. Default: /tmp/user_int_warn_signals
  • -i, –ignore-list: Specify a file containing a list of signals to ignore.
  • -v, –verbose: Enable verbose output with additional information.
  • -h, –help: Show help message and exit.


Monitor specific signals:

function::user_int_warn -s /tmp/my_signals my_signal1 my_signal2

Ignore a specific signal:

function::user_int_warn -i /tmp/ignore.list -s /tmp/my_signals my_signal1 my_signal2

Monitor all signals and log events:

function::user_int_warn -v >> /var/log/user_int_warn.log &

Common Issues

  • Missing integrity file: Ensure that the -s option is provided and the specified file exists.
  • Duplicate signal definitions: Using the same signal name multiple times can lead to unexpected behavior.
  • Race conditions: Signals can be generated concurrently, so it is possible to miss a signal if the system is under heavy load or experiences high latencies.


Send signals from other processes:

#include <signal.h>
int main() {
  kill(getpid(), SIGUSR1);
  return 0;

Use in scripts:

function::user_int_warn my_signal
if [ $? -ne 0 ]; then
  # Handle signal violation

Related Commands

  • integrityctl: Manage and query kernel-level integrity signals.
  • auditd: Monitor and log security-related events on the system.