1 /*- 2 * Copyright (c) 2005-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #include <sys/types.h> 31 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <unistd.h> 35 36 #include "auditd.h" 37 38 /* 39 * Write an audit-related error to the system log via syslog(3). 40 */ 41 static int 42 auditwarnlog(char *args[]) 43 { 44 char *loc_args[9]; 45 pid_t pid; 46 int i; 47 48 loc_args[0] = AUDITWARN_SCRIPT; 49 for (i = 0; args[i] != NULL && i < 8; i++) 50 loc_args[i+1] = args[i]; 51 loc_args[i+1] = NULL; 52 53 pid = fork(); 54 if (pid == -1) 55 return (-1); 56 if (pid == 0) { 57 /* 58 * Child. 59 */ 60 execv(AUDITWARN_SCRIPT, loc_args); 61 syslog(LOG_ERR, "Could not exec %s (%m)\n", 62 AUDITWARN_SCRIPT); 63 exit(1); 64 } 65 /* 66 * Parent. 67 */ 68 return (0); 69 } 70 71 /* 72 * Indicates that the hard limit for all filesystems has been exceeded. 73 */ 74 int 75 audit_warn_allhard(void) 76 { 77 char *args[2]; 78 79 args[0] = HARDLIM_ALL_WARN; 80 args[1] = NULL; 81 82 return (auditwarnlog(args)); 83 } 84 85 /* 86 * Indicates that the soft limit for all filesystems has been exceeded. 87 */ 88 int 89 audit_warn_allsoft(void) 90 { 91 char *args[2]; 92 93 args[0] = SOFTLIM_ALL_WARN; 94 args[1] = NULL; 95 96 return (auditwarnlog(args)); 97 } 98 99 /* 100 * Indicates that someone other than the audit daemon turned off auditing. 101 * XXX Its not clear at this point how this function will be invoked. 102 * 103 * XXXRW: This function is not used. 104 */ 105 int 106 audit_warn_auditoff(void) 107 { 108 char *args[2]; 109 110 args[0] = AUDITOFF_WARN; 111 args[1] = NULL; 112 113 return (auditwarnlog(args)); 114 } 115 116 /* 117 * Indicate that a trail file has been closed, so can now be post-processed. 118 */ 119 int 120 audit_warn_closefile(char *filename) 121 { 122 char *args[3]; 123 124 args[0] = CLOSEFILE_WARN; 125 args[1] = filename; 126 args[2] = NULL; 127 128 return (auditwarnlog(args)); 129 } 130 131 /* 132 * Indicates that the audit deammn is already running 133 */ 134 int 135 audit_warn_ebusy(void) 136 { 137 char *args[2]; 138 139 args[0] = EBUSY_WARN; 140 args[1] = NULL; 141 142 return (auditwarnlog(args)); 143 } 144 145 /* 146 * Indicates that there is a problem getting the directory from 147 * audit_control. 148 * 149 * XXX Note that we take the filename instead of a count as the argument here 150 * (different from BSM). 151 */ 152 int 153 audit_warn_getacdir(char *filename) 154 { 155 char *args[3]; 156 157 args[0] = GETACDIR_WARN; 158 args[1] = filename; 159 args[2] = NULL; 160 161 return (auditwarnlog(args)); 162 } 163 164 /* 165 * Indicates that the hard limit for this file has been exceeded. 166 */ 167 int 168 audit_warn_hard(char *filename) 169 { 170 char *args[3]; 171 172 args[0] = HARDLIM_WARN; 173 args[1] = filename; 174 args[2] = NULL; 175 176 return (auditwarnlog(args)); 177 } 178 179 /* 180 * Indicates that auditing could not be started. 181 */ 182 int 183 audit_warn_nostart(void) 184 { 185 char *args[2]; 186 187 args[0] = NOSTART_WARN; 188 args[1] = NULL; 189 190 return (auditwarnlog(args)); 191 } 192 193 /* 194 * Indicaes that an error occrred during the orderly shutdown of the audit 195 * daemon. 196 */ 197 int 198 audit_warn_postsigterm(void) 199 { 200 char *args[2]; 201 202 args[0] = POSTSIGTERM_WARN; 203 args[1] = NULL; 204 205 return (auditwarnlog(args)); 206 } 207 208 /* 209 * Indicates that the soft limit for this file has been exceeded. 210 */ 211 int 212 audit_warn_soft(char *filename) 213 { 214 char *args[3]; 215 216 args[0] = SOFTLIM_WARN; 217 args[1] = filename; 218 args[2] = NULL; 219 220 return (auditwarnlog(args)); 221 } 222 223 /* 224 * Indicates that the temporary audit file already exists indicating a fatal 225 * error. 226 */ 227 int 228 audit_warn_tmpfile(void) 229 { 230 char *args[2]; 231 232 args[0] = TMPFILE_WARN; 233 args[1] = NULL; 234 235 return (auditwarnlog(args)); 236 } 237 238 /* 239 * Indicates that this trail file has expired and was removed. 240 */ 241 int 242 audit_warn_expired(char *filename) 243 { 244 char *args[3]; 245 246 args[0] = EXPIRED_WARN; 247 args[1] = filename; 248 args[2] = NULL; 249 250 return (auditwarnlog(args)); 251 } 252