1 /*-
2 * Copyright (c) 2005-2009 Apple Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <sys/types.h>
31
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <unistd.h>
35
36 #include "auditd.h"
37
38 /*
39 * Write an audit-related error to the system log via syslog(3).
40 */
41 static int
auditwarnlog(char * args[])42 auditwarnlog(char *args[])
43 {
44 char *loc_args[9];
45 pid_t pid;
46 int i;
47
48 loc_args[0] = AUDITWARN_SCRIPT;
49 for (i = 0; args[i] != NULL && i < 8; i++)
50 loc_args[i+1] = args[i];
51 loc_args[i+1] = NULL;
52
53 pid = fork();
54 if (pid == -1)
55 return (-1);
56 if (pid == 0) {
57 /*
58 * Child.
59 */
60 execv(AUDITWARN_SCRIPT, loc_args);
61 syslog(LOG_ERR, "Could not exec %s (%m)\n",
62 AUDITWARN_SCRIPT);
63 exit(1);
64 }
65 /*
66 * Parent.
67 */
68 return (0);
69 }
70
71 /*
72 * Indicates that the hard limit for all filesystems has been exceeded.
73 */
74 int
audit_warn_allhard(void)75 audit_warn_allhard(void)
76 {
77 char *args[2];
78
79 args[0] = HARDLIM_ALL_WARN;
80 args[1] = NULL;
81
82 return (auditwarnlog(args));
83 }
84
85 /*
86 * Indicates that the soft limit for all filesystems has been exceeded.
87 */
88 int
audit_warn_allsoft(void)89 audit_warn_allsoft(void)
90 {
91 char *args[2];
92
93 args[0] = SOFTLIM_ALL_WARN;
94 args[1] = NULL;
95
96 return (auditwarnlog(args));
97 }
98
99 /*
100 * Indicates that someone other than the audit daemon turned off auditing.
101 * XXX Its not clear at this point how this function will be invoked.
102 *
103 * XXXRW: This function is not used.
104 */
105 int
audit_warn_auditoff(void)106 audit_warn_auditoff(void)
107 {
108 char *args[2];
109
110 args[0] = AUDITOFF_WARN;
111 args[1] = NULL;
112
113 return (auditwarnlog(args));
114 }
115
116 /*
117 * Indicate that a trail file has been closed, so can now be post-processed.
118 */
119 int
audit_warn_closefile(char * filename)120 audit_warn_closefile(char *filename)
121 {
122 char *args[3];
123
124 args[0] = CLOSEFILE_WARN;
125 args[1] = filename;
126 args[2] = NULL;
127
128 return (auditwarnlog(args));
129 }
130
131 /*
132 * Indicates that the audit deammn is already running
133 */
134 int
audit_warn_ebusy(void)135 audit_warn_ebusy(void)
136 {
137 char *args[2];
138
139 args[0] = EBUSY_WARN;
140 args[1] = NULL;
141
142 return (auditwarnlog(args));
143 }
144
145 /*
146 * Indicates that there is a problem getting the directory from
147 * audit_control.
148 *
149 * XXX Note that we take the filename instead of a count as the argument here
150 * (different from BSM).
151 */
152 int
audit_warn_getacdir(char * filename)153 audit_warn_getacdir(char *filename)
154 {
155 char *args[3];
156
157 args[0] = GETACDIR_WARN;
158 args[1] = filename;
159 args[2] = NULL;
160
161 return (auditwarnlog(args));
162 }
163
164 /*
165 * Indicates that the hard limit for this file has been exceeded.
166 */
167 int
audit_warn_hard(char * filename)168 audit_warn_hard(char *filename)
169 {
170 char *args[3];
171
172 args[0] = HARDLIM_WARN;
173 args[1] = filename;
174 args[2] = NULL;
175
176 return (auditwarnlog(args));
177 }
178
179 /*
180 * Indicates that auditing could not be started.
181 */
182 int
audit_warn_nostart(void)183 audit_warn_nostart(void)
184 {
185 char *args[2];
186
187 args[0] = NOSTART_WARN;
188 args[1] = NULL;
189
190 return (auditwarnlog(args));
191 }
192
193 /*
194 * Indicaes that an error occrred during the orderly shutdown of the audit
195 * daemon.
196 */
197 int
audit_warn_postsigterm(void)198 audit_warn_postsigterm(void)
199 {
200 char *args[2];
201
202 args[0] = POSTSIGTERM_WARN;
203 args[1] = NULL;
204
205 return (auditwarnlog(args));
206 }
207
208 /*
209 * Indicates that the soft limit for this file has been exceeded.
210 */
211 int
audit_warn_soft(char * filename)212 audit_warn_soft(char *filename)
213 {
214 char *args[3];
215
216 args[0] = SOFTLIM_WARN;
217 args[1] = filename;
218 args[2] = NULL;
219
220 return (auditwarnlog(args));
221 }
222
223 /*
224 * Indicates that the temporary audit file already exists indicating a fatal
225 * error.
226 */
227 int
audit_warn_tmpfile(void)228 audit_warn_tmpfile(void)
229 {
230 char *args[2];
231
232 args[0] = TMPFILE_WARN;
233 args[1] = NULL;
234
235 return (auditwarnlog(args));
236 }
237
238 /*
239 * Indicates that this trail file has expired and was removed.
240 */
241 int
audit_warn_expired(char * filename)242 audit_warn_expired(char *filename)
243 {
244 char *args[3];
245
246 args[0] = EXPIRED_WARN;
247 args[1] = filename;
248 args[2] = NULL;
249
250 return (auditwarnlog(args));
251 }
252