6324 Add an `ndp' tool for manipulating the neighbors table

[illumos-gate.git] / usr / src / man / man1m / audit_warn.1m

'\" te
.\" Copyright (c) 2003, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH AUDIT_WARN 1M "Apr 16, 2008"
.SH NAME
audit_warn \- audit daemon warning script
.SH SYNOPSIS
.LP
.nf
\fB/etc/security/audit_warn\fR [\fIoption\fR [\fIarguments\fR]]
.fi

.SH DESCRIPTION
.sp
.LP
The \fBaudit_warn\fR utility processes warning or error messages from the audit
daemon. When a problem is encountered, the audit daemon, \fBauditd\fR(1M) calls
\fBaudit_warn\fR with the appropriate arguments. The \fIoption\fR argument
specifies the error type.
.sp
.LP
The system administrator can specify a list of mail recipients to be notified
when an audit_warn situation arises by defining a mail alias called
\fBaudit_warn\fR in \fBaliases\fR(4). The users that make up the
\fBaudit_warn\fR alias are typically the \fBaudit\fR and \fBroot\fR users.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.na
\fB\fBallhard\fR \fIcount\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the hard limit for all filesystems has been exceeded \fIcount\fR
times. The default action for this option is to send mail to the
\fBaudit_warn\fR alias only if the \fIcount\fR is \fB1\fR, and to write a
message to the machine console every time. It is recommended that mail
\fInot\fR be sent every time as this could result in a the saturation of the
file system that contains the mail spool directory.
.RE

.sp
.ne 2
.na
\fB\fBallsoft\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the soft limit for all filesystems has been exceeded. The
default action for this option is to send mail to the \fBaudit_warn\fR alias
and to write a message to the machine console.
.RE

.sp
.ne 2
.na
\fB\fBauditoff\fR\fR
.ad
.sp .6
.RS 4n
Indicates that someone other than the audit daemon changed the system audit
state to something other than \fB\fR\fBAUC_AUDITING\fR\fB\&. \fR The audit
daemon will have exited in this case. The default action for this option is to
send mail to the \fBaudit_warn\fR alias and to write a message to the machine
console.
.RE

.sp
.ne 2
.na
\fB\fBebusy\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the audit daemon is already running. The default action for this
option is to send mail to the \fBaudit_warn\fR alias and to write a message to
the machine console.
.RE

.sp
.ne 2
.na
\fB\fBgetacdir\fR \fIcount\fR\fR
.ad
.sp .6
.RS 4n
Indicates that there is a problem getting the directory list or plugin list
from \fBaudit_control\fR(4). The audit daemon will hang in a sleep loop until
the file is fixed. The default action for this option is to send mail to the
\fBaudit_warn\fR alias only if \fIcount\fR is \fB1\fR, and to write a message
to the machine console every time. It is recommended that mail \fInot\fR be
sent every time as this could result in a the saturation of the file system
that contains the mail spool directory.
.RE

.sp
.ne 2
.na
\fB\fBhard\fR \fIfilename\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the hard limit for the file has been exceeded. The default
action for this option is to send mail to the \fBaudit_warn\fR alias and to
write a message to the machine console.
.RE

.sp
.ne 2
.na
\fB\fBnostart\fR\fR
.ad
.sp .6
.RS 4n
Indicates that auditing could not be started. The default action for this
option is to send mail to the \fBaudit_warn\fR alias and to write a message to
the machine console. Some administrators may prefer to modify \fBaudit_warn\fR
to reboot the system when this error occurs.
.RE

.sp
.ne 2
.na
\fB\fBplugin\fR \fIname\fR \fIerror\fR \fIcount\fR \fItext\fR\fR
.ad
.sp .6
.RS 4n
Indicates that an error occurred during execution of the \fBauditd\fR plugin
\fIname\fR. The default action for this option is to send mail to the
\fBaudit_warn\fR alias only if \fIcount\fR is 1, and to write a message to the
machine console every time. (Separate counts are kept for each error type.) It
is recommended that mail not be sent every time as this could result in the
saturation of the file system that contains the mail spool directory. The
\fItext\fR field provides the detailed error message passed from the plugin.
The \fIerror\fR field is one of the following strings:
.sp
.ne 2
.na
\fB\fBload_error\fR\fR
.ad
.RS 16n
Unable to load the plugin \fIname\fR.
.RE

.sp
.ne 2
.na
\fB\fBsys_error\fR\fR
.ad
.RS 16n
The plugin \fIname\fR is not executing due to a system error such as a lack of
resources.
.RE

.sp
.ne 2
.na
\fB\fBconfig_error\fR\fR
.ad
.RS 16n
No plugins loaded (including the binary file plugin, \fBaudit_binfile\fR(5))
due to configuration errors in \fBaudit_control\fR(4). The name string is
\fB--\fR to indicate that no plugin name applies.
.RE

.sp
.ne 2
.na
\fB\fBretry\fR\fR
.ad
.RS 16n
The plugin \fIname\fR reports it has encountered a temporary failure. For
example, the \fBaudit_binfree.so\fR plugin uses \fBretry\fR to indicate that
all directories are full.
.RE

.sp
.ne 2
.na
\fB\fBno_memory\fR\fR
.ad
.RS 16n
The plugin \fIname\fR reports a failure due to lack of memory.
.RE

.sp
.ne 2
.na
\fB\fBinvalid\fR\fR
.ad
.RS 16n
The plugin \fIname\fR reports it received an invalid input.
.RE

.sp
.ne 2
.na
\fB\fBfailure\fR\fR
.ad
.RS 16n
The plugin \fIname\fR has reported an error as described in \fItext\fR.
.RE

.RE

.sp
.ne 2
.na
\fB\fBpostsigterm\fR\fR
.ad
.sp .6
.RS 4n
Indicates that an error occurred during the orderly shutdown of the audit
daemon. The default action for this option is to send mail to the
\fBaudit_warn\fR alias and to write a message to the machine console.
.RE

.sp
.ne 2
.na
\fB\fBsoft\fR \fIfilename\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the soft limit for \fIfilename\fR has been exceeded. The default
action for this option is to send mail to the \fBaudit_warn\fR alias and to
write a message to the machine console.
.RE

.sp
.ne 2
.na
\fB\fBtmpfile\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the temporary audit file already exists indicating a fatal
error. The default action for this option is to send mail to the
\fBaudit_warn\fR alias and to write a message to the machine console.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE  ATTRIBUTE VALUE
_
Interface Stability     Evolving
.TE

.sp
.LP
The interface stability is evolving. The file content is unstable.
.SH SEE ALSO
.sp
.LP
\fBaudit\fR(1M), \fBauditd\fR(1M), \fBbsmconv\fR(1M), \fBaliases\fR(4),
\fBaudit.log\fR(4), \fBaudit_control\fR(4), \fBattributes\fR(5)
.sp
.LP
See the section on Solaris Auditing in \fISystem Administration Guide: Security
Services\fR.
.SH NOTES
.sp
.LP
This functionality is available only if the Solaris Auditing feature has been
enabled. See \fBbsmconv\fR(1M) for more information.
.sp
.LP
If the audit policy \fBperzone\fR is set, the \fB/etc/security/audit_warn\fR
script for the local zone is used for notifications from the local zone's
instance of \fBauditd\fR. If the \fBperzone\fR policy is not set, all
\fBauditd\fR errors are generated by the global zone's copy of
\fB/etc/security/audit_warn\fR.