#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#
# This shell script warns the administrator when there are problems or
# potential problems with the audit daemon. The default script sends
# a message to the machine console in the case where there
# is no audit space available. It has comments in a few places where
# additional actions might be appropriate (eg. clearing some space).
#
#---------------------------------------------------------------------------
# send mail and generate syslog output
#
# $MESSAGE and $SUBJECT are set by the caller
#
# edit this function to omit syslog or mail output.
#---------------------------------------------------------------------------
LOGCMD="$LOGGER -p daemon.alert"
ADDRESS=audit_warn # standard alias for audit alerts
if [ $? -ne 0 ]
then
fi
then
fi
}
# If you change this script, script debug should first be done via the
# command line, so input errors are output via "echo," but syslog
# debug messages are better for testing from auditd since the echo
# output would be lost. For testing with auditd, replace
# 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'
DEBUG_OUT="echo"
# Check usage
then
$DEBUG_OUT "Usage: $0 <option> [<args>]"
exit 1
fi
# Process args
while [ -n "$1" ]
do
SUBJECT="AUDIT DAEMON WARNING ($1)"
case "$1" in
"soft" ) # Check soft arg
# One audit filesystem has filled to the soft limit
# that is configured in the audit service.
if [ ! -n "$2" ]
then
$DEBUG_OUT "$0: Need filename arg with 'soft'!"
exit 1
else
FILE=$2
fi
# Set message
break
;;
"allsoft" ) # Check all soft arg
# All the audit filesystems have filled to the soft
# limit set up in the audit service configuration.
# Set message
MESSAGE="Soft limit exceeded on all filesystems."
break
;;
"hard" ) # Check hard arg
# One audit filesystem has filled completely.
if [ ! -n "$2" ]
then
$DEBUG_OUT "$0: Need filename arg with 'hard'!"
exit 1
else
FILE=$2
fi
# Set message
break
;;
"allhard" ) # Check all hard arg
# All the audit filesystems have filled completely.
# The audit daemon will remain in a loop sleeping
# and checking for space until some space is freed.
if [ ! -n "$2" ]
then
$DEBUG_OUT "$0: Need count arg with 'allhard'!"
exit 1
else
COUNT=$2
fi
# Set message
# This might be a place to make space in the
# audit file systems.
break
;;
"ebusy" ) # Check ebusy arg
# The audit daemon is already running and can not
# be started more than once.
# Set message
MESSAGE="The audit daemon is already running on this system."
break
;;
"tmpfile" ) # Check tmpfile arg
# The tmpfile used by the audit daemon (binfile) could
# not be opened even unlinked or symlinked.
# This error will cause the audit daemon to exit at
# start. If it occurs later the audit daemon will
# attempt to carry on.
if [ ! -n "$2" ]
then
$DEBUG_OUT "$0: Need error string arg with 'tmpfile'!"
exit 1
else
ERROR=$2
fi
# Set message
MESSAGE="The audit daemon is unable to update /var/run, error=$ERROR.\n This implies a serious problem."
break
;;
"nostart" ) # Check no start arg
# auditd attempts to set the audit state; if
# it fails, it exits with a "nostart" code.
# The most likely cause is that the kernel
# audit module did not load due to a
# configuration error. auditd is not running.
#
# The audit daemon can not be started until
# the error is corrected and the system is
# rebooted.
MESSAGE="audit failed to start because it cannot read or\
write the system's audit state. This may be due to a configuration error.\n\n\
Must reboot to start auditing!"
break
;;
"auditoff" ) # Check audit off arg
# Someone besides the audit daemon called the
# system call auditon to "turn auditing off"
# by setting the state to AUC_NOAUDIT. This
# will cause the audit daemon to exit.
# Set message
MESSAGE="Auditing has been turned off unexpectedly."
break
;;
"postsigterm" ) # Check post sigterm arg
# While the audit daemon was trying to shutdown
# in an orderly fashion (corresponding to audit -t)
# it got another signal or an error. Some records
# may not have been written.
# Set message
MESSAGE="Received some signal or error while writing\
audit records after SIGTERM. Some audit records may have been lost."
break
;;
"plugin" ) # Check plugin arg
# There is a problem loading a plugin or a plugin
# has reported a serious error.
# Output from the plugin is either blocked or halted.
if [ ! -n "$2" ]
then
$DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
exit 1
else
PLUGNAME=$2
fi
if [ ! -n "$3" ]
then
$DEBUG_OUT "$0: Need error arg with 'plugin'!"
exit 1
else
ERROR=$3
fi
if [ ! -n "$4" ]
then
$DEBUG_OUT "$0: Need text arg with 'plugin'!"
exit 1
else
TEXT=$4
fi
if [ ! -n "$5" ]
then
$DEBUG_OUT "$0: Need count arg with 'plugin'!"
exit 1
else
COUNT=$5
S=""
else
S="s"
fi
fi
# Set message
MESSAGE="The audit daemon has experienced the\
following problem with loading or executing plugins:\n\n\
$TEXT\n\
This message has been displayed $COUNT time$S."
break
;;
* ) # Check other args
$DEBUG_OUT "$0: Arg not recognized: $1"
exit 1
;;
esac
shift
done
exit 0