xref: /freebsd/contrib/openbsm/bin/auditd/audit_warn.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 2005 Apple Computer, Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1.  Redistributions of source code must retain the above copyright
10  *     notice, this list of conditions and the following disclaimer.
11  * 2.  Redistributions in binary form must reproduce the above copyright
12  *     notice, this list of conditions and the following disclaimer in the
13  *     documentation and/or other materials provided with the distribution.
14  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15  *     its contributors may be used to endorse or promote products derived
16  *     from this software without specific prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
19  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
22  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  *
29  * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#8 $
30  */
31 
32 #include <sys/types.h>
33 
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <unistd.h>
37 
38 #include "auditd.h"
39 
40 /*
41  * Write an audit-related error to the system log via syslog(3).
42  */
43 static int
44 auditwarnlog(char *args[])
45 {
46 	char *loc_args[9];
47 	pid_t pid;
48 	int i;
49 
50 	loc_args[0] = AUDITWARN_SCRIPT;
51 	for (i = 0; args[i] != NULL && i < 8; i++)
52 		loc_args[i+1] = args[i];
53 	loc_args[i+1] = NULL;
54 
55 	pid = fork();
56 	if (pid == -1)
57 		return (-1);
58 	if (pid == 0) {
59 		/*
60 		 * Child.
61 		 */
62 		execv(AUDITWARN_SCRIPT, loc_args);
63 		syslog(LOG_ERR, "Could not exec %s (%m)\n",
64 		    AUDITWARN_SCRIPT);
65 		exit(1);
66 	}
67 	/*
68 	 * Parent.
69 	 */
70 	return (0);
71 }
72 
73 /*
74  * Indicates that the hard limit for all filesystems has been exceeded count
75  * times.
76  */
77 int
78 audit_warn_allhard(int count)
79 {
80 	char intstr[12];
81 	char *args[3];
82 
83 	snprintf(intstr, 12, "%d", count);
84 
85 	args[0] = HARDLIM_ALL_WARN;
86 	args[1] = intstr;
87 	args[2] = NULL;
88 
89 	return (auditwarnlog(args));
90 }
91 
92 /*
93  * Indicates that the soft limit for all filesystems has been exceeded.
94  */
95 int
96 audit_warn_allsoft(void)
97 {
98 	char *args[2];
99 
100 	args[0] = SOFTLIM_ALL_WARN;
101 	args[1] = NULL;
102 
103 	return (auditwarnlog(args));
104 }
105 
106 /*
107  * Indicates that someone other than the audit daemon turned off auditing.
108  * XXX Its not clear at this point how this function will be invoked.
109  *
110  * XXXRW: This function is not used.
111  */
112 int
113 audit_warn_auditoff(void)
114 {
115 	char *args[2];
116 
117 	args[0] = AUDITOFF_WARN;
118 	args[1] = NULL;
119 
120 	return (auditwarnlog(args));
121 }
122 
123 /*
124  * Indicate that a trail file has been closed, so can now be post-processed.
125  */
126 int
127 audit_warn_closefile(char *filename)
128 {
129 	char *args[3];
130 
131 	args[0] = CLOSEFILE_WARN;
132 	args[1] = filename;
133 	args[2] = NULL;
134 
135 	return (auditwarnlog(args));
136 }
137 
138 /*
139  * Indicates that the audit deammn is already running
140  */
141 int
142 audit_warn_ebusy(void)
143 {
144 	char *args[2];
145 
146 	args[0] = EBUSY_WARN;
147 	args[1] = NULL;
148 
149 	return (auditwarnlog(args));
150 }
151 
152 /*
153  * Indicates that there is a problem getting the directory from
154  * audit_control.
155  *
156  * XXX Note that we take the filename instead of a count as the argument here
157  * (different from BSM).
158  */
159 int
160 audit_warn_getacdir(char *filename)
161 {
162 	char *args[3];
163 
164 	args[0] = GETACDIR_WARN;
165 	args[1] = filename;
166 	args[2] = NULL;
167 
168 	return (auditwarnlog(args));
169 }
170 
171 /*
172  * Indicates that the hard limit for this file has been exceeded.
173  */
174 int
175 audit_warn_hard(char *filename)
176 {
177 	char *args[3];
178 
179 	args[0] = HARDLIM_WARN;
180 	args[1] = filename;
181 	args[2] = NULL;
182 
183 	return (auditwarnlog(args));
184 }
185 
186 /*
187  * Indicates that auditing could not be started.
188  */
189 int
190 audit_warn_nostart(void)
191 {
192 	char *args[2];
193 
194 	args[0] = NOSTART_WARN;
195 	args[1] = NULL;
196 
197 	return (auditwarnlog(args));
198 }
199 
200 /*
201  * Indicaes that an error occrred during the orderly shutdown of the audit
202  * daemon.
203  */
204 int
205 audit_warn_postsigterm(void)
206 {
207 	char *args[2];
208 
209 	args[0] = POSTSIGTERM_WARN;
210 	args[1] = NULL;
211 
212 	return (auditwarnlog(args));
213 }
214 
215 /*
216  * Indicates that the soft limit for this file has been exceeded.
217  */
218 int
219 audit_warn_soft(char *filename)
220 {
221 	char *args[3];
222 
223 	args[0] = SOFTLIM_WARN;
224 	args[1] = filename;
225 	args[2] = NULL;
226 
227 	return (auditwarnlog(args));
228 }
229 
230 /*
231  * Indicates that the temporary audit file already exists indicating a fatal
232  * error.
233  */
234 int
235 audit_warn_tmpfile(void)
236 {
237 	char *args[2];
238 
239 	args[0] = TMPFILE_WARN;
240 	args[1] = NULL;
241 
242 	return (auditwarnlog(args));
243 }
244