search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit '00f1a4f432b3d8aad1aa270e91c44c57f03ef407'
[unleashed.git] / usr / src / cmd / audit_warn / audit_warn.sh
blobc39c4d81bf5fbb3e79b588fade71ff837cf8e30e
1 #! /bin/sh
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22 #
23 # Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 #
25
26 # This shell script warns the administrator when there are problems or
27 # potential problems with the audit daemon. The default script sends
28 # a message to the machine console in the case where there
29 # is no audit space available. It has comments in a few places where
30 # additional actions might be appropriate (eg. clearing some space).
31 #
32 #---------------------------------------------------------------------------
33 # send mail and generate syslog output
34 #
35 # $MESSAGE and $SUBJECT are set by the caller
36 #
37 # edit this function to omit syslog or mail output.
38 #---------------------------------------------------------------------------
39 send_msg() {
40 MAILER=/usr/bin/mailx
41 SED=/usr/bin/sed
42 LOGCMD="$LOGGER -p daemon.alert"
43
44 ADDRESS=audit_warn # standard alias for audit alerts
45
46 # turn off redirect to /dev/null to see sendmail output
47 /usr/lib/sendmail -bv $ADDRESS > /dev/null
48
49 if [ $? -ne 0 ]
50 then
51 $LOGCMD "The $ADDRESS mail alias is not defined"
52 ADDRESS=root
53 fi
54
55 if [ -z "$COUNT" -o "0$COUNT" -eq 1 ]
56 then
57 echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS
58 fi
59
60 STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"`
61 $LOGCMD $STRIPPEDMSG
62 }
63
64 # If you change this script, script debug should first be done via the
65 # command line, so input errors are output via "echo," but syslog
66 # debug messages are better for testing from auditd since the echo
67 # output would be lost. For testing with auditd, replace
68 # 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'
69
70 LOGGER="/usr/bin/logger"
71 DEBUG_OUT="echo"
72
73 # Check usage
74 if [ "$#" -lt "1" -o "$#" -gt "5" ]
75 then
76 $DEBUG_OUT "Usage: $0 <option> [<args>]"
77 exit 1
78 fi
79
80 # Process args
81 while [ -n "$1" ]
82 do
83
84 SUBJECT="AUDIT DAEMON WARNING ($1)"
85
86 case "$1" in
87
88 "soft" ) # Check soft arg
89 # One audit filesystem has filled to the soft limit
90 # that is configured in the audit service.
91
92 if [ ! -n "$2" ]
93 then
94 $DEBUG_OUT "$0: Need filename arg with 'soft'!"
95 exit 1
96 else
97 FILE=$2
98 fi
99
100 # Set message
101 MESSAGE="Soft limit exceeded in file $FILE."
102 send_msg
103
104 break
105 ;;
106
107 "allsoft" ) # Check all soft arg
108 # All the audit filesystems have filled to the soft
109 # limit set up in the audit service configuration.
110
111 # Set message
112 MESSAGE="Soft limit exceeded on all filesystems."
113 send_msg
114
115 break
116 ;;
117
118 "hard" ) # Check hard arg
119 # One audit filesystem has filled completely.
120
121 if [ ! -n "$2" ]
122 then
123 $DEBUG_OUT "$0: Need filename arg with 'hard'!"
124 exit 1
125 else
126 FILE=$2
127 fi
128
129 # Set message
130 MESSAGE="Hard limit exceeded in file $FILE."
131 send_msg
132
133 break
134 ;;
135
136 "allhard" ) # Check all hard arg
137 # All the audit filesystems have filled completely.
138 # The audit daemon will remain in a loop sleeping
139 # and checking for space until some space is freed.
140
141 if [ ! -n "$2" ]
142 then
143 $DEBUG_OUT "$0: Need count arg with 'allhard'!"
144 exit 1
145 else
146 COUNT=$2
147 fi
148
149 # Set message
150 MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)"
151
152 send_msg
153
154 # This might be a place to make space in the
155 # audit file systems.
156
157 break
158 ;;
159
160 "ebusy" ) # Check ebusy arg
161 # The audit daemon is already running and can not
162 # be started more than once.
163
164 # Set message
165 MESSAGE="The audit daemon is already running on this system."
166 send_msg
167
168 break
169 ;;
170
171 "tmpfile" ) # Check tmpfile arg
172 # The tmpfile used by the audit daemon (binfile) could
173 # not be opened even unlinked or symlinked.
174 # This error will cause the audit daemon to exit at
175 # start. If it occurs later the audit daemon will
176 # attempt to carry on.
177
178 if [ ! -n "$2" ]
179 then
180 $DEBUG_OUT "$0: Need error string arg with 'tmpfile'!"
181 exit 1
182 else
183 ERROR=$2
184 fi
185 # Set message
186 MESSAGE="The audit daemon is unable to update /var/run, error=$ERROR.\n This implies a serious problem."
187
188 send_msg
189
190 break
191 ;;
192
193 "nostart" ) # Check no start arg
194
195 # auditd attempts to set the audit state; if
196 # it fails, it exits with a "nostart" code.
197 # The most likely cause is that the kernel
198 # audit module did not load due to a
199 # configuration error. auditd is not running.
200 #
201 # The audit daemon can not be started until
202 # the error is corrected and the system is
203 # rebooted.
204
205 MESSAGE="audit failed to start because it cannot read or\
206 write the system's audit state. This may be due to a configuration error.\n\n\
207 Must reboot to start auditing!"
208
209 send_msg
210
211 break
212 ;;
213
214 "auditoff" ) # Check audit off arg
215 # Someone besides the audit daemon called the
216 # system call auditon to "turn auditing off"
217 # by setting the state to AUC_NOAUDIT. This
218 # will cause the audit daemon to exit.
219
220 # Set message
221 MESSAGE="Auditing has been turned off unexpectedly."
222 send_msg
223
224 break
225 ;;
226
227 "postsigterm" ) # Check post sigterm arg
228 # While the audit daemon was trying to shutdown
229 # in an orderly fashion (corresponding to audit -t)
230 # it got another signal or an error. Some records
231 # may not have been written.
232
233 # Set message
234 MESSAGE="Received some signal or error while writing\
235 audit records after SIGTERM. Some audit records may have been lost."
236 send_msg
237
238 break
239 ;;
240
241 "plugin" ) # Check plugin arg
242
243 # There is a problem loading a plugin or a plugin
244 # has reported a serious error.
245 # Output from the plugin is either blocked or halted.
246
247 if [ ! -n "$2" ]
248 then
249 $DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
250 exit 1
251 else
252 PLUGNAME=$2
253 fi
254
255 if [ ! -n "$3" ]
256 then
257 $DEBUG_OUT "$0: Need error arg with 'plugin'!"
258 exit 1
259 else
260 ERROR=$3
261 fi
262
263 if [ ! -n "$4" ]
264 then
265 $DEBUG_OUT "$0: Need text arg with 'plugin'!"
266 exit 1
267 else
268 TEXT=$4
269 fi
270
271 if [ ! -n "$5" ]
272 then
273 $DEBUG_OUT "$0: Need count arg with 'plugin'!"
274 exit 1
275 else
276 COUNT=$5
277 if [ $COUNT -eq 1 ]; then
278 S=""
279 else
280 S="s"
281 fi
282 fi
283
284 # Set message
285 MESSAGE="The audit daemon has experienced the\
286 following problem with loading or executing plugins:\n\n\
287 $PLUGNAME: $ERROR\n\
288 $TEXT\n\
289 This message has been displayed $COUNT time$S."
290 send_msg
291 break
292 ;;
293
294 * ) # Check other args
295 $DEBUG_OUT "$0: Arg not recognized: $1"
296 exit 1
297 ;;
298
299 esac
300
301 shift
302 done
303
304 exit 0
Unleashed OS