5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
23 # Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
26 # This shell script warns the administrator when there are problems or
27 # potential problems with the audit daemon. The default script sends
28 # a message to the machine console in the case where there
29 # is no audit space available. It has comments in a few places where
30 # additional actions might be appropriate (eg. clearing some space).
32 #---------------------------------------------------------------------------
33 # send mail and generate syslog output
35 # $MESSAGE and $SUBJECT are set by the caller
37 # edit this function to omit syslog or mail output.
38 #---------------------------------------------------------------------------
42 LOGCMD
="$LOGGER -p daemon.alert"
44 ADDRESS
=audit_warn
# standard alias for audit alerts
46 # turn off redirect to /dev/null to see sendmail output
47 /usr
/lib
/sendmail
-bv $ADDRESS > /dev
/null
51 $LOGCMD "The $ADDRESS mail alias is not defined"
55 if [ -z "$COUNT" -o "0$COUNT" -eq 1 ]
57 echo "$0: $MESSAGE" |
$MAILER -s "$SUBJECT" $ADDRESS
60 STRIPPEDMSG
=`echo "$MESSAGE" | $SED -e "s/\n/ /g"`
64 # If you change this script, script debug should first be done via the
65 # command line, so input errors are output via "echo," but syslog
66 # debug messages are better for testing from auditd since the echo
67 # output would be lost. For testing with auditd, replace
68 # 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'
70 LOGGER
="/usr/bin/logger"
74 if [ "$#" -lt "1" -o "$#" -gt "5" ]
76 $DEBUG_OUT "Usage: $0 <option> [<args>]"
84 SUBJECT
="AUDIT DAEMON WARNING ($1)"
88 "soft" ) # Check soft arg
89 # One audit filesystem has filled to the soft limit
90 # that is configured in the audit service.
94 $DEBUG_OUT "$0: Need filename arg with 'soft'!"
101 MESSAGE
="Soft limit exceeded in file $FILE."
107 "allsoft" ) # Check all soft arg
108 # All the audit filesystems have filled to the soft
109 # limit set up in the audit service configuration.
112 MESSAGE
="Soft limit exceeded on all filesystems."
118 "hard" ) # Check hard arg
119 # One audit filesystem has filled completely.
123 $DEBUG_OUT "$0: Need filename arg with 'hard'!"
130 MESSAGE
="Hard limit exceeded in file $FILE."
136 "allhard" ) # Check all hard arg
137 # All the audit filesystems have filled completely.
138 # The audit daemon will remain in a loop sleeping
139 # and checking for space until some space is freed.
143 $DEBUG_OUT "$0: Need count arg with 'allhard'!"
150 MESSAGE
="Hard limit exceeded on all filesystems. (count=$COUNT)"
154 # This might be a place to make space in the
155 # audit file systems.
160 "ebusy" ) # Check ebusy arg
161 # The audit daemon is already running and can not
162 # be started more than once.
165 MESSAGE
="The audit daemon is already running on this system."
171 "tmpfile" ) # Check tmpfile arg
172 # The tmpfile used by the audit daemon (binfile) could
173 # not be opened even unlinked or symlinked.
174 # This error will cause the audit daemon to exit at
175 # start. If it occurs later the audit daemon will
176 # attempt to carry on.
180 $DEBUG_OUT "$0: Need error string arg with 'tmpfile'!"
186 MESSAGE
="The audit daemon is unable to update /var/run, error=$ERROR.\n This implies a serious problem."
193 "nostart" ) # Check no start arg
195 # auditd attempts to set the audit state; if
196 # it fails, it exits with a "nostart" code.
197 # The most likely cause is that the kernel
198 # audit module did not load due to a
199 # configuration error. auditd is not running.
201 # The audit daemon can not be started until
202 # the error is corrected and the system is
205 MESSAGE
="audit failed to start because it cannot read or\
206 write the system's audit state. This may be due to a configuration error.\n\n\
207 Must reboot to start auditing!"
214 "auditoff" ) # Check audit off arg
215 # Someone besides the audit daemon called the
216 # system call auditon to "turn auditing off"
217 # by setting the state to AUC_NOAUDIT. This
218 # will cause the audit daemon to exit.
221 MESSAGE
="Auditing has been turned off unexpectedly."
227 "postsigterm" ) # Check post sigterm arg
228 # While the audit daemon was trying to shutdown
229 # in an orderly fashion (corresponding to audit -t)
230 # it got another signal or an error. Some records
231 # may not have been written.
234 MESSAGE
="Received some signal or error while writing\
235 audit records after SIGTERM. Some audit records may have been lost."
241 "plugin" ) # Check plugin arg
243 # There is a problem loading a plugin or a plugin
244 # has reported a serious error.
245 # Output from the plugin is either blocked or halted.
249 $DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
257 $DEBUG_OUT "$0: Need error arg with 'plugin'!"
265 $DEBUG_OUT "$0: Need text arg with 'plugin'!"
273 $DEBUG_OUT "$0: Need count arg with 'plugin'!"
277 if [ $COUNT -eq 1 ]; then
285 MESSAGE
="The audit daemon has experienced the\
286 following problem with loading or executing plugins:\n\n\
289 This message has been displayed $COUNT time$S."
294 * ) # Check other args
295 $DEBUG_OUT "$0: Arg not recognized: $1"