152267f74SRobert Watson /*-
206edd2f1SRobert Watson * Copyright (c) 2005-2009 Apple Inc.
3ca0716f5SRobert Watson * All rights reserved.
4ca0716f5SRobert Watson *
5ca0716f5SRobert Watson * Redistribution and use in source and binary forms, with or without
6ca0716f5SRobert Watson * modification, are permitted provided that the following conditions
7ca0716f5SRobert Watson * are met:
8ca0716f5SRobert Watson *
9ca0716f5SRobert Watson * 1. Redistributions of source code must retain the above copyright
10ca0716f5SRobert Watson * notice, this list of conditions and the following disclaimer.
11ca0716f5SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright
12ca0716f5SRobert Watson * notice, this list of conditions and the following disclaimer in the
13ca0716f5SRobert Watson * documentation and/or other materials provided with the distribution.
1452267f74SRobert Watson * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15ca0716f5SRobert Watson * its contributors may be used to endorse or promote products derived
16ca0716f5SRobert Watson * from this software without specific prior written permission.
17ca0716f5SRobert Watson *
18ca0716f5SRobert Watson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
19ca0716f5SRobert Watson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20ca0716f5SRobert Watson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21ca0716f5SRobert Watson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
22ca0716f5SRobert Watson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23ca0716f5SRobert Watson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24ca0716f5SRobert Watson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25ca0716f5SRobert Watson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26ca0716f5SRobert Watson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27ca0716f5SRobert Watson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28ca0716f5SRobert Watson */
29ca0716f5SRobert Watson
30ca0716f5SRobert Watson #include <sys/types.h>
313b97a967SRobert Watson
32ca0716f5SRobert Watson #include <stdio.h>
333b97a967SRobert Watson #include <stdlib.h>
343b97a967SRobert Watson #include <unistd.h>
35ca0716f5SRobert Watson
36ca0716f5SRobert Watson #include "auditd.h"
37ca0716f5SRobert Watson
38ca0716f5SRobert Watson /*
39ca0716f5SRobert Watson * Write an audit-related error to the system log via syslog(3).
40ca0716f5SRobert Watson */
41ca0716f5SRobert Watson static int
auditwarnlog(char * args[])42ca0716f5SRobert Watson auditwarnlog(char *args[])
43ca0716f5SRobert Watson {
44ca0716f5SRobert Watson char *loc_args[9];
45ca0716f5SRobert Watson pid_t pid;
46ca0716f5SRobert Watson int i;
47ca0716f5SRobert Watson
48ca0716f5SRobert Watson loc_args[0] = AUDITWARN_SCRIPT;
49ca0716f5SRobert Watson for (i = 0; args[i] != NULL && i < 8; i++)
50ca0716f5SRobert Watson loc_args[i+1] = args[i];
51ca0716f5SRobert Watson loc_args[i+1] = NULL;
52ca0716f5SRobert Watson
53ca0716f5SRobert Watson pid = fork();
54ca0716f5SRobert Watson if (pid == -1)
55ca0716f5SRobert Watson return (-1);
56ca0716f5SRobert Watson if (pid == 0) {
57ca0716f5SRobert Watson /*
58ca0716f5SRobert Watson * Child.
59ca0716f5SRobert Watson */
60ca0716f5SRobert Watson execv(AUDITWARN_SCRIPT, loc_args);
61ca0716f5SRobert Watson syslog(LOG_ERR, "Could not exec %s (%m)\n",
62ca0716f5SRobert Watson AUDITWARN_SCRIPT);
63ca0716f5SRobert Watson exit(1);
64ca0716f5SRobert Watson }
65ca0716f5SRobert Watson /*
66ca0716f5SRobert Watson * Parent.
67ca0716f5SRobert Watson */
68ca0716f5SRobert Watson return (0);
69ca0716f5SRobert Watson }
70ca0716f5SRobert Watson
71ca0716f5SRobert Watson /*
727a0a89d2SRobert Watson * Indicates that the hard limit for all filesystems has been exceeded.
73ca0716f5SRobert Watson */
74ca0716f5SRobert Watson int
audit_warn_allhard(void)757a0a89d2SRobert Watson audit_warn_allhard(void)
76ca0716f5SRobert Watson {
777a0a89d2SRobert Watson char *args[2];
78ca0716f5SRobert Watson
79ca0716f5SRobert Watson args[0] = HARDLIM_ALL_WARN;
807a0a89d2SRobert Watson args[1] = NULL;
81ca0716f5SRobert Watson
82ca0716f5SRobert Watson return (auditwarnlog(args));
83ca0716f5SRobert Watson }
84ca0716f5SRobert Watson
85ca0716f5SRobert Watson /*
86ca0716f5SRobert Watson * Indicates that the soft limit for all filesystems has been exceeded.
87ca0716f5SRobert Watson */
88ca0716f5SRobert Watson int
audit_warn_allsoft(void)89ca0716f5SRobert Watson audit_warn_allsoft(void)
90ca0716f5SRobert Watson {
91ca0716f5SRobert Watson char *args[2];
92ca0716f5SRobert Watson
93ca0716f5SRobert Watson args[0] = SOFTLIM_ALL_WARN;
94ca0716f5SRobert Watson args[1] = NULL;
95ca0716f5SRobert Watson
96ca0716f5SRobert Watson return (auditwarnlog(args));
97ca0716f5SRobert Watson }
98ca0716f5SRobert Watson
99ca0716f5SRobert Watson /*
100ca0716f5SRobert Watson * Indicates that someone other than the audit daemon turned off auditing.
101ca0716f5SRobert Watson * XXX Its not clear at this point how this function will be invoked.
102ca0716f5SRobert Watson *
103ca0716f5SRobert Watson * XXXRW: This function is not used.
104ca0716f5SRobert Watson */
105ca0716f5SRobert Watson int
audit_warn_auditoff(void)106ca0716f5SRobert Watson audit_warn_auditoff(void)
107ca0716f5SRobert Watson {
108ca0716f5SRobert Watson char *args[2];
109ca0716f5SRobert Watson
110ca0716f5SRobert Watson args[0] = AUDITOFF_WARN;
111ca0716f5SRobert Watson args[1] = NULL;
112ca0716f5SRobert Watson
113ca0716f5SRobert Watson return (auditwarnlog(args));
114ca0716f5SRobert Watson }
115ca0716f5SRobert Watson
116ca0716f5SRobert Watson /*
1174bd0c025SRobert Watson * Indicate that a trail file has been closed, so can now be post-processed.
1184bd0c025SRobert Watson */
1194bd0c025SRobert Watson int
audit_warn_closefile(char * filename)1204bd0c025SRobert Watson audit_warn_closefile(char *filename)
1214bd0c025SRobert Watson {
1224bd0c025SRobert Watson char *args[3];
1234bd0c025SRobert Watson
1244bd0c025SRobert Watson args[0] = CLOSEFILE_WARN;
1254bd0c025SRobert Watson args[1] = filename;
1264bd0c025SRobert Watson args[2] = NULL;
1274bd0c025SRobert Watson
1284bd0c025SRobert Watson return (auditwarnlog(args));
1294bd0c025SRobert Watson }
1304bd0c025SRobert Watson
1314bd0c025SRobert Watson /*
132ca0716f5SRobert Watson * Indicates that the audit deammn is already running
133ca0716f5SRobert Watson */
134ca0716f5SRobert Watson int
audit_warn_ebusy(void)135ca0716f5SRobert Watson audit_warn_ebusy(void)
136ca0716f5SRobert Watson {
137ca0716f5SRobert Watson char *args[2];
138ca0716f5SRobert Watson
139ca0716f5SRobert Watson args[0] = EBUSY_WARN;
140ca0716f5SRobert Watson args[1] = NULL;
141ca0716f5SRobert Watson
142ca0716f5SRobert Watson return (auditwarnlog(args));
143ca0716f5SRobert Watson }
144ca0716f5SRobert Watson
145ca0716f5SRobert Watson /*
146ca0716f5SRobert Watson * Indicates that there is a problem getting the directory from
147ca0716f5SRobert Watson * audit_control.
148ca0716f5SRobert Watson *
149ca0716f5SRobert Watson * XXX Note that we take the filename instead of a count as the argument here
150ca0716f5SRobert Watson * (different from BSM).
151ca0716f5SRobert Watson */
152ca0716f5SRobert Watson int
audit_warn_getacdir(char * filename)153ca0716f5SRobert Watson audit_warn_getacdir(char *filename)
154ca0716f5SRobert Watson {
155ca0716f5SRobert Watson char *args[3];
156ca0716f5SRobert Watson
157ca0716f5SRobert Watson args[0] = GETACDIR_WARN;
158ca0716f5SRobert Watson args[1] = filename;
159ca0716f5SRobert Watson args[2] = NULL;
160ca0716f5SRobert Watson
161ca0716f5SRobert Watson return (auditwarnlog(args));
162ca0716f5SRobert Watson }
163ca0716f5SRobert Watson
164ca0716f5SRobert Watson /*
165ca0716f5SRobert Watson * Indicates that the hard limit for this file has been exceeded.
166ca0716f5SRobert Watson */
167ca0716f5SRobert Watson int
audit_warn_hard(char * filename)168ca0716f5SRobert Watson audit_warn_hard(char *filename)
169ca0716f5SRobert Watson {
170ca0716f5SRobert Watson char *args[3];
171ca0716f5SRobert Watson
172ca0716f5SRobert Watson args[0] = HARDLIM_WARN;
173ca0716f5SRobert Watson args[1] = filename;
174ca0716f5SRobert Watson args[2] = NULL;
175ca0716f5SRobert Watson
176ca0716f5SRobert Watson return (auditwarnlog(args));
177ca0716f5SRobert Watson }
178ca0716f5SRobert Watson
179ca0716f5SRobert Watson /*
180ca0716f5SRobert Watson * Indicates that auditing could not be started.
181ca0716f5SRobert Watson */
182ca0716f5SRobert Watson int
audit_warn_nostart(void)183ca0716f5SRobert Watson audit_warn_nostart(void)
184ca0716f5SRobert Watson {
185ca0716f5SRobert Watson char *args[2];
186ca0716f5SRobert Watson
187ca0716f5SRobert Watson args[0] = NOSTART_WARN;
188ca0716f5SRobert Watson args[1] = NULL;
189ca0716f5SRobert Watson
190ca0716f5SRobert Watson return (auditwarnlog(args));
191ca0716f5SRobert Watson }
192ca0716f5SRobert Watson
193ca0716f5SRobert Watson /*
194ca0716f5SRobert Watson * Indicaes that an error occrred during the orderly shutdown of the audit
195ca0716f5SRobert Watson * daemon.
196ca0716f5SRobert Watson */
197ca0716f5SRobert Watson int
audit_warn_postsigterm(void)198ca0716f5SRobert Watson audit_warn_postsigterm(void)
199ca0716f5SRobert Watson {
200ca0716f5SRobert Watson char *args[2];
201ca0716f5SRobert Watson
202ca0716f5SRobert Watson args[0] = POSTSIGTERM_WARN;
203ca0716f5SRobert Watson args[1] = NULL;
204ca0716f5SRobert Watson
205ca0716f5SRobert Watson return (auditwarnlog(args));
206ca0716f5SRobert Watson }
207ca0716f5SRobert Watson
208ca0716f5SRobert Watson /*
209ca0716f5SRobert Watson * Indicates that the soft limit for this file has been exceeded.
210ca0716f5SRobert Watson */
211ca0716f5SRobert Watson int
audit_warn_soft(char * filename)212ca0716f5SRobert Watson audit_warn_soft(char *filename)
213ca0716f5SRobert Watson {
214ca0716f5SRobert Watson char *args[3];
215ca0716f5SRobert Watson
216ca0716f5SRobert Watson args[0] = SOFTLIM_WARN;
217ca0716f5SRobert Watson args[1] = filename;
218ca0716f5SRobert Watson args[2] = NULL;
219ca0716f5SRobert Watson
220ca0716f5SRobert Watson return (auditwarnlog(args));
221ca0716f5SRobert Watson }
222ca0716f5SRobert Watson
223ca0716f5SRobert Watson /*
224ca0716f5SRobert Watson * Indicates that the temporary audit file already exists indicating a fatal
225ca0716f5SRobert Watson * error.
226ca0716f5SRobert Watson */
227ca0716f5SRobert Watson int
audit_warn_tmpfile(void)228ca0716f5SRobert Watson audit_warn_tmpfile(void)
229ca0716f5SRobert Watson {
230ca0716f5SRobert Watson char *args[2];
231ca0716f5SRobert Watson
232ca0716f5SRobert Watson args[0] = TMPFILE_WARN;
233ca0716f5SRobert Watson args[1] = NULL;
234ca0716f5SRobert Watson
235ca0716f5SRobert Watson return (auditwarnlog(args));
236ca0716f5SRobert Watson }
23706edd2f1SRobert Watson
23806edd2f1SRobert Watson /*
23906edd2f1SRobert Watson * Indicates that this trail file has expired and was removed.
24006edd2f1SRobert Watson */
24106edd2f1SRobert Watson int
audit_warn_expired(char * filename)24206edd2f1SRobert Watson audit_warn_expired(char *filename)
24306edd2f1SRobert Watson {
24406edd2f1SRobert Watson char *args[3];
24506edd2f1SRobert Watson
24606edd2f1SRobert Watson args[0] = EXPIRED_WARN;
24706edd2f1SRobert Watson args[1] = filename;
24806edd2f1SRobert Watson args[2] = NULL;
24906edd2f1SRobert Watson
25006edd2f1SRobert Watson return (auditwarnlog(args));
25106edd2f1SRobert Watson }
252