xref: /freebsd/contrib/openbsm/bin/auditd/audit_warn.c (revision 596596fec79f04e1f413850b44159224ff1fb8dc)
1 /*-
2  * Copyright (c) 2005-2009 Apple Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1.  Redistributions of source code must retain the above copyright
10  *     notice, this list of conditions and the following disclaimer.
11  * 2.  Redistributions in binary form must reproduce the above copyright
12  *     notice, this list of conditions and the following disclaimer in the
13  *     documentation and/or other materials provided with the distribution.
14  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
15  *     its contributors may be used to endorse or promote products derived
16  *     from this software without specific prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
19  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
22  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  *
29  * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $
30  */
31 
32 #include <sys/types.h>
33 
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <unistd.h>
37 
38 #include "auditd.h"
39 
40 /*
41  * Write an audit-related error to the system log via syslog(3).
42  */
43 static int
44 auditwarnlog(char *args[])
45 {
46 	char *loc_args[9];
47 	pid_t pid;
48 	int i;
49 
50 	loc_args[0] = AUDITWARN_SCRIPT;
51 	for (i = 0; args[i] != NULL && i < 8; i++)
52 		loc_args[i+1] = args[i];
53 	loc_args[i+1] = NULL;
54 
55 	pid = fork();
56 	if (pid == -1)
57 		return (-1);
58 	if (pid == 0) {
59 		/*
60 		 * Child.
61 		 */
62 		execv(AUDITWARN_SCRIPT, loc_args);
63 		syslog(LOG_ERR, "Could not exec %s (%m)\n",
64 		    AUDITWARN_SCRIPT);
65 		exit(1);
66 	}
67 	/*
68 	 * Parent.
69 	 */
70 	return (0);
71 }
72 
73 /*
74  * Indicates that the hard limit for all filesystems has been exceeded.
75  */
76 int
77 audit_warn_allhard(void)
78 {
79 	char *args[2];
80 
81 	args[0] = HARDLIM_ALL_WARN;
82 	args[1] = NULL;
83 
84 	return (auditwarnlog(args));
85 }
86 
87 /*
88  * Indicates that the soft limit for all filesystems has been exceeded.
89  */
90 int
91 audit_warn_allsoft(void)
92 {
93 	char *args[2];
94 
95 	args[0] = SOFTLIM_ALL_WARN;
96 	args[1] = NULL;
97 
98 	return (auditwarnlog(args));
99 }
100 
101 /*
102  * Indicates that someone other than the audit daemon turned off auditing.
103  * XXX Its not clear at this point how this function will be invoked.
104  *
105  * XXXRW: This function is not used.
106  */
107 int
108 audit_warn_auditoff(void)
109 {
110 	char *args[2];
111 
112 	args[0] = AUDITOFF_WARN;
113 	args[1] = NULL;
114 
115 	return (auditwarnlog(args));
116 }
117 
118 /*
119  * Indicate that a trail file has been closed, so can now be post-processed.
120  */
121 int
122 audit_warn_closefile(char *filename)
123 {
124 	char *args[3];
125 
126 	args[0] = CLOSEFILE_WARN;
127 	args[1] = filename;
128 	args[2] = NULL;
129 
130 	return (auditwarnlog(args));
131 }
132 
133 /*
134  * Indicates that the audit deammn is already running
135  */
136 int
137 audit_warn_ebusy(void)
138 {
139 	char *args[2];
140 
141 	args[0] = EBUSY_WARN;
142 	args[1] = NULL;
143 
144 	return (auditwarnlog(args));
145 }
146 
147 /*
148  * Indicates that there is a problem getting the directory from
149  * audit_control.
150  *
151  * XXX Note that we take the filename instead of a count as the argument here
152  * (different from BSM).
153  */
154 int
155 audit_warn_getacdir(char *filename)
156 {
157 	char *args[3];
158 
159 	args[0] = GETACDIR_WARN;
160 	args[1] = filename;
161 	args[2] = NULL;
162 
163 	return (auditwarnlog(args));
164 }
165 
166 /*
167  * Indicates that the hard limit for this file has been exceeded.
168  */
169 int
170 audit_warn_hard(char *filename)
171 {
172 	char *args[3];
173 
174 	args[0] = HARDLIM_WARN;
175 	args[1] = filename;
176 	args[2] = NULL;
177 
178 	return (auditwarnlog(args));
179 }
180 
181 /*
182  * Indicates that auditing could not be started.
183  */
184 int
185 audit_warn_nostart(void)
186 {
187 	char *args[2];
188 
189 	args[0] = NOSTART_WARN;
190 	args[1] = NULL;
191 
192 	return (auditwarnlog(args));
193 }
194 
195 /*
196  * Indicaes that an error occrred during the orderly shutdown of the audit
197  * daemon.
198  */
199 int
200 audit_warn_postsigterm(void)
201 {
202 	char *args[2];
203 
204 	args[0] = POSTSIGTERM_WARN;
205 	args[1] = NULL;
206 
207 	return (auditwarnlog(args));
208 }
209 
210 /*
211  * Indicates that the soft limit for this file has been exceeded.
212  */
213 int
214 audit_warn_soft(char *filename)
215 {
216 	char *args[3];
217 
218 	args[0] = SOFTLIM_WARN;
219 	args[1] = filename;
220 	args[2] = NULL;
221 
222 	return (auditwarnlog(args));
223 }
224 
225 /*
226  * Indicates that the temporary audit file already exists indicating a fatal
227  * error.
228  */
229 int
230 audit_warn_tmpfile(void)
231 {
232 	char *args[2];
233 
234 	args[0] = TMPFILE_WARN;
235 	args[1] = NULL;
236 
237 	return (auditwarnlog(args));
238 }
239 
240 /*
241  * Indicates that this trail file has expired and was removed.
242  */
243 int
244 audit_warn_expired(char *filename)
245 {
246 	char *args[3];
247 
248 	args[0] = EXPIRED_WARN;
249 	args[1] = filename;
250 	args[2] = NULL;
251 
252 	return (auditwarnlog(args));
253 }
254