1 /*- 2 * Copyright (c) 2005-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $ 30 */ 31 32 #include <sys/types.h> 33 34 #include <stdio.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 38 #include "auditd.h" 39 40 /* 41 * Write an audit-related error to the system log via syslog(3). 42 */ 43 static int 44 auditwarnlog(char *args[]) 45 { 46 char *loc_args[9]; 47 pid_t pid; 48 int i; 49 50 loc_args[0] = AUDITWARN_SCRIPT; 51 for (i = 0; args[i] != NULL && i < 8; i++) 52 loc_args[i+1] = args[i]; 53 loc_args[i+1] = NULL; 54 55 pid = fork(); 56 if (pid == -1) 57 return (-1); 58 if (pid == 0) { 59 /* 60 * Child. 61 */ 62 execv(AUDITWARN_SCRIPT, loc_args); 63 syslog(LOG_ERR, "Could not exec %s (%m)\n", 64 AUDITWARN_SCRIPT); 65 exit(1); 66 } 67 /* 68 * Parent. 69 */ 70 return (0); 71 } 72 73 /* 74 * Indicates that the hard limit for all filesystems has been exceeded. 75 */ 76 int 77 audit_warn_allhard(void) 78 { 79 char *args[2]; 80 81 args[0] = HARDLIM_ALL_WARN; 82 args[1] = NULL; 83 84 return (auditwarnlog(args)); 85 } 86 87 /* 88 * Indicates that the soft limit for all filesystems has been exceeded. 89 */ 90 int 91 audit_warn_allsoft(void) 92 { 93 char *args[2]; 94 95 args[0] = SOFTLIM_ALL_WARN; 96 args[1] = NULL; 97 98 return (auditwarnlog(args)); 99 } 100 101 /* 102 * Indicates that someone other than the audit daemon turned off auditing. 103 * XXX Its not clear at this point how this function will be invoked. 104 * 105 * XXXRW: This function is not used. 106 */ 107 int 108 audit_warn_auditoff(void) 109 { 110 char *args[2]; 111 112 args[0] = AUDITOFF_WARN; 113 args[1] = NULL; 114 115 return (auditwarnlog(args)); 116 } 117 118 /* 119 * Indicate that a trail file has been closed, so can now be post-processed. 120 */ 121 int 122 audit_warn_closefile(char *filename) 123 { 124 char *args[3]; 125 126 args[0] = CLOSEFILE_WARN; 127 args[1] = filename; 128 args[2] = NULL; 129 130 return (auditwarnlog(args)); 131 } 132 133 /* 134 * Indicates that the audit deammn is already running 135 */ 136 int 137 audit_warn_ebusy(void) 138 { 139 char *args[2]; 140 141 args[0] = EBUSY_WARN; 142 args[1] = NULL; 143 144 return (auditwarnlog(args)); 145 } 146 147 /* 148 * Indicates that there is a problem getting the directory from 149 * audit_control. 150 * 151 * XXX Note that we take the filename instead of a count as the argument here 152 * (different from BSM). 153 */ 154 int 155 audit_warn_getacdir(char *filename) 156 { 157 char *args[3]; 158 159 args[0] = GETACDIR_WARN; 160 args[1] = filename; 161 args[2] = NULL; 162 163 return (auditwarnlog(args)); 164 } 165 166 /* 167 * Indicates that the hard limit for this file has been exceeded. 168 */ 169 int 170 audit_warn_hard(char *filename) 171 { 172 char *args[3]; 173 174 args[0] = HARDLIM_WARN; 175 args[1] = filename; 176 args[2] = NULL; 177 178 return (auditwarnlog(args)); 179 } 180 181 /* 182 * Indicates that auditing could not be started. 183 */ 184 int 185 audit_warn_nostart(void) 186 { 187 char *args[2]; 188 189 args[0] = NOSTART_WARN; 190 args[1] = NULL; 191 192 return (auditwarnlog(args)); 193 } 194 195 /* 196 * Indicaes that an error occrred during the orderly shutdown of the audit 197 * daemon. 198 */ 199 int 200 audit_warn_postsigterm(void) 201 { 202 char *args[2]; 203 204 args[0] = POSTSIGTERM_WARN; 205 args[1] = NULL; 206 207 return (auditwarnlog(args)); 208 } 209 210 /* 211 * Indicates that the soft limit for this file has been exceeded. 212 */ 213 int 214 audit_warn_soft(char *filename) 215 { 216 char *args[3]; 217 218 args[0] = SOFTLIM_WARN; 219 args[1] = filename; 220 args[2] = NULL; 221 222 return (auditwarnlog(args)); 223 } 224 225 /* 226 * Indicates that the temporary audit file already exists indicating a fatal 227 * error. 228 */ 229 int 230 audit_warn_tmpfile(void) 231 { 232 char *args[2]; 233 234 args[0] = TMPFILE_WARN; 235 args[1] = NULL; 236 237 return (auditwarnlog(args)); 238 } 239 240 /* 241 * Indicates that this trail file has expired and was removed. 242 */ 243 int 244 audit_warn_expired(char *filename) 245 { 246 char *args[3]; 247 248 args[0] = EXPIRED_WARN; 249 args[1] = filename; 250 args[2] = NULL; 251 252 return (auditwarnlog(args)); 253 } 254