1 /* 2 * Copyright (c) 2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#8 $ 30 */ 31 32 #include <sys/types.h> 33 34 #include <stdio.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 38 #include "auditd.h" 39 40 /* 41 * Write an audit-related error to the system log via syslog(3). 42 */ 43 static int 44 auditwarnlog(char *args[]) 45 { 46 char *loc_args[9]; 47 pid_t pid; 48 int i; 49 50 loc_args[0] = AUDITWARN_SCRIPT; 51 for (i = 0; args[i] != NULL && i < 8; i++) 52 loc_args[i+1] = args[i]; 53 loc_args[i+1] = NULL; 54 55 pid = fork(); 56 if (pid == -1) 57 return (-1); 58 if (pid == 0) { 59 /* 60 * Child. 61 */ 62 execv(AUDITWARN_SCRIPT, loc_args); 63 syslog(LOG_ERR, "Could not exec %s (%m)\n", 64 AUDITWARN_SCRIPT); 65 exit(1); 66 } 67 /* 68 * Parent. 69 */ 70 return (0); 71 } 72 73 /* 74 * Indicates that the hard limit for all filesystems has been exceeded count 75 * times. 76 */ 77 int 78 audit_warn_allhard(int count) 79 { 80 char intstr[12]; 81 char *args[3]; 82 83 snprintf(intstr, 12, "%d", count); 84 85 args[0] = HARDLIM_ALL_WARN; 86 args[1] = intstr; 87 args[2] = NULL; 88 89 return (auditwarnlog(args)); 90 } 91 92 /* 93 * Indicates that the soft limit for all filesystems has been exceeded. 94 */ 95 int 96 audit_warn_allsoft(void) 97 { 98 char *args[2]; 99 100 args[0] = SOFTLIM_ALL_WARN; 101 args[1] = NULL; 102 103 return (auditwarnlog(args)); 104 } 105 106 /* 107 * Indicates that someone other than the audit daemon turned off auditing. 108 * XXX Its not clear at this point how this function will be invoked. 109 * 110 * XXXRW: This function is not used. 111 */ 112 int 113 audit_warn_auditoff(void) 114 { 115 char *args[2]; 116 117 args[0] = AUDITOFF_WARN; 118 args[1] = NULL; 119 120 return (auditwarnlog(args)); 121 } 122 123 /* 124 * Indicate that a trail file has been closed, so can now be post-processed. 125 */ 126 int 127 audit_warn_closefile(char *filename) 128 { 129 char *args[3]; 130 131 args[0] = CLOSEFILE_WARN; 132 args[1] = filename; 133 args[2] = NULL; 134 135 return (auditwarnlog(args)); 136 } 137 138 /* 139 * Indicates that the audit deammn is already running 140 */ 141 int 142 audit_warn_ebusy(void) 143 { 144 char *args[2]; 145 146 args[0] = EBUSY_WARN; 147 args[1] = NULL; 148 149 return (auditwarnlog(args)); 150 } 151 152 /* 153 * Indicates that there is a problem getting the directory from 154 * audit_control. 155 * 156 * XXX Note that we take the filename instead of a count as the argument here 157 * (different from BSM). 158 */ 159 int 160 audit_warn_getacdir(char *filename) 161 { 162 char *args[3]; 163 164 args[0] = GETACDIR_WARN; 165 args[1] = filename; 166 args[2] = NULL; 167 168 return (auditwarnlog(args)); 169 } 170 171 /* 172 * Indicates that the hard limit for this file has been exceeded. 173 */ 174 int 175 audit_warn_hard(char *filename) 176 { 177 char *args[3]; 178 179 args[0] = HARDLIM_WARN; 180 args[1] = filename; 181 args[2] = NULL; 182 183 return (auditwarnlog(args)); 184 } 185 186 /* 187 * Indicates that auditing could not be started. 188 */ 189 int 190 audit_warn_nostart(void) 191 { 192 char *args[2]; 193 194 args[0] = NOSTART_WARN; 195 args[1] = NULL; 196 197 return (auditwarnlog(args)); 198 } 199 200 /* 201 * Indicaes that an error occrred during the orderly shutdown of the audit 202 * daemon. 203 */ 204 int 205 audit_warn_postsigterm(void) 206 { 207 char *args[2]; 208 209 args[0] = POSTSIGTERM_WARN; 210 args[1] = NULL; 211 212 return (auditwarnlog(args)); 213 } 214 215 /* 216 * Indicates that the soft limit for this file has been exceeded. 217 */ 218 int 219 audit_warn_soft(char *filename) 220 { 221 char *args[3]; 222 223 args[0] = SOFTLIM_WARN; 224 args[1] = filename; 225 args[2] = NULL; 226 227 return (auditwarnlog(args)); 228 } 229 230 /* 231 * Indicates that the temporary audit file already exists indicating a fatal 232 * error. 233 */ 234 int 235 audit_warn_tmpfile(void) 236 { 237 char *args[2]; 238 239 args[0] = TMPFILE_WARN; 240 args[1] = NULL; 241 242 return (auditwarnlog(args)); 243 } 244