xref: /illumos-gate/usr/src/cmd/audit_warn/audit_warn.sh (revision 002c70ff32f5df6f93c15f88d351ce26443e6ee7)
1#! /bin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# ident	"%Z%%M%	%I%	%E% SMI"
24#
25# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
26# Use is subject to license terms.
27#
28
29# This shell script warns the administrator when there are problems or
30# potential problems with the audit daemon.  The default script sends
31# a message to the machine console in the case where there
32# is no audit space available.  It has comments in a few places where
33# additional actions might be appropriate (eg. clearing some space).
34#
35#---------------------------------------------------------------------------
36# send mail and generate syslog output
37#
38# $MESSAGE and $SUBJECT are set by the caller
39#
40# edit this function to omit syslog or mail output.
41#---------------------------------------------------------------------------
42send_msg() {
43	MAILER=/usr/bin/mailx
44	SED=/usr/bin/sed
45	LOGCMD="$LOGGER -p daemon.alert"
46
47	ADDRESS=audit_warn		# standard alias for audit alerts
48
49	# turn off redirect to /dev/null to see sendmail output
50	/usr/lib/sendmail -bv $ADDRESS > /dev/null
51
52	if [ $? -ne 0 ]
53	then
54		$LOGCMD "The $ADDRESS mail alias is not defined"
55		ADDRESS=root
56	fi
57
58	if [ -z "$COUNT" -o "0$COUNT" -eq 1 ]
59	then
60		echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS
61	fi
62
63	STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"`
64	$LOGCMD $STRIPPEDMSG
65}
66
67# If you change this script, script debug should first be done via the
68# command line, so input errors are output via "echo," but syslog
69# debug messages are better for testing from auditd since the echo
70# output would be lost.  For testing with auditd, replace
71# 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'
72
73LOGGER="/usr/bin/logger"
74DEBUG_OUT="echo"
75
76# Check usage
77if [ "$#" -lt "1" -o "$#" -gt "5" ]
78then
79	$DEBUG_OUT "Usage: $0 <option> [<args>]"
80	exit 1
81fi
82
83# Process args
84while [ -n "$1" ]
85do
86
87	SUBJECT="AUDIT DAEMON WARNING ($1)"
88
89	case "$1" in
90
91	"soft" )	# Check soft arg
92			# One audit filesystem has filled to the soft limit
93			# set up in audit_control.
94
95			if [ ! -n "$2" ]
96			then
97				$DEBUG_OUT "$0: Need filename arg with 'soft'!"
98				exit 1
99			else
100				FILE=$2
101			fi
102
103			# Set message
104			MESSAGE="Soft limit exceeded in file $FILE."
105			send_msg
106
107			break
108			;;
109
110	"allsoft" )	# Check all soft arg
111			# All the audit filesystems have filled to the soft
112			# limit set up in audit_control.
113
114			# Set message
115			MESSAGE="Soft limit exceeded on all filesystems."
116			send_msg
117
118			break
119			;;
120
121	"hard" )	# Check hard arg
122			# One audit filesystem has filled completely.
123
124			if [ ! -n "$2" ]
125			then
126				$DEBUG_OUT "$0: Need filename arg with 'hard'!"
127				exit 1
128			else
129				FILE=$2
130			fi
131
132			# Set message
133			MESSAGE="Hard limit exceeded in file $FILE."
134			send_msg
135
136			break
137			;;
138
139	"allhard" )	# Check all hard arg
140			# All the audit filesystems have filled completely.
141			# The audit daemon will remain in a loop sleeping
142			# and checking for space until some space is freed.
143
144			if [ ! -n "$2" ]
145			then
146				$DEBUG_OUT "$0: Need count arg with 'allhard'!"
147				exit 1
148			else
149				COUNT=$2
150			fi
151
152			# Set message
153			MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)"
154
155			send_msg
156
157			# This might be a place to make space in the
158			# audit file systems.
159
160			break
161			;;
162
163	"ebusy" )	# Check ebusy arg
164			# The audit daemon is already running and can not
165			# be started more than once.
166
167			# Set message
168			MESSAGE="The audit daemon is already running on this system."
169			send_msg
170
171			break
172			;;
173
174	"tmpfile" )	# Check tempfile arg
175			# The tempfile used by the audit daemon could not
176			# be opened even though it was unlinked.
177			# This error will cause the audit daemon to exit.
178
179			# Set message
180			MESSAGE="The audit daemon can not open audit_tmp.\
181  This implies a serious problem.  The audit daemon has exited!"
182
183			send_msg
184
185			break
186			;;
187
188	"nostart" )	# Check no start arg
189
190			# auditd attempts to set the audit state; if
191			# it fails, it exits with a "nostart" code.
192			# The most likely cause is that the kernel
193			# audit module did not load due to a
194			# configuration error.  auditd is not running.
195			#
196			# The audit daemon can not be started until
197			# the error is corrected and the system is
198			# rebooted.
199
200			MESSAGE="audit failed to start because it cannot read or\
201 write the system's audit state. This may be due to a configuration error.\n\n\
202Must reboot to start auditing!"
203
204			send_msg
205
206			break
207			;;
208
209	"auditoff" )	# Check audit off arg
210			# Someone besides the audit daemon called the
211			# system call auditon to "turn auditing off"
212			# by setting the state to AUC_NOAUDIT.  This
213			# will cause the audit daemon to exit.
214
215			# Set message
216			MESSAGE="Auditing has been turned off unexpectedly."
217			send_msg
218
219			break
220			;;
221
222	"postsigterm" )	# Check post sigterm arg
223			# While the audit daemon was trying to shutdown
224			# in an orderly fashion (corresponding to audit -t)
225			# it got another signal or an error.  Some records
226			# may not have been written.
227
228			# Set message
229			MESSAGE="Received some signal or error while writing\
230 audit records after SIGTERM.  Some audit records may have been lost."
231			send_msg
232
233			break
234			;;
235
236	"getacdir" )	# Check getacdir arg
237			# There is a problem getting the directory list from
238			# /etc/security/audit_control.  Auditd is
239			# going to hang in a sleep loop until the file is
240			# fixed.
241
242			if [ ! -n "$2" ]
243			then
244				$DEBUG_OUT "$0: Need count arg with 'getacdir'!"
245				exit 1
246			else
247				COUNT=$2
248				if [ $COUNT -eq 1 ]; then
249					S=""
250				else
251					S="s"
252				fi
253			fi
254
255			# Set message
256			MESSAGE="There is a problem getting the directory\
257 list or plugin list from audit_control(4).  The audit daemon will hang
258 until this file is fixed.  This message has been displayed $COUNT time$S."
259			send_msg
260			break
261			;;
262
263	"plugin" )	# Check plugin arg
264
265			# There is a problem loading a plugin or a plugin
266			# has reported a serious error.
267			# Output from the plugin is either blocked or halted.
268
269			if [ ! -n "$2" ]
270			then
271				$DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
272				exit 1
273			else
274				PLUGNAME=$2
275			fi
276
277			if [ ! -n "$3" ]
278			then
279				$DEBUG_OUT "$0: Need error arg with 'plugin'!"
280				exit 1
281			else
282				ERROR=$3
283			fi
284
285			if [ ! -n "$4" ]
286			then
287				$DEBUG_OUT "$0: Need text arg with 'plugin'!"
288				exit 1
289			else
290				TEXT=$4
291			fi
292
293			if [ ! -n "$5" ]
294			then
295				$DEBUG_OUT "$0: Need count arg with 'plugin'!"
296				exit 1
297			else
298				COUNT=$5
299				if [ $COUNT -eq 1 ]; then
300					S=""
301				else
302					S="s"
303				fi
304			fi
305
306			# Set message
307			MESSAGE="The audit daemon has experienced the\
308 following problem with loading or executing plugins:\n\n\
309$PLUGNAME: $ERROR\n\
310$TEXT\n\
311This message has been displayed $COUNT time$S."
312			send_msg
313			break
314			;;
315
316	* )		# Check other args
317			$DEBUG_OUT "$0: Arg not recognized: $1"
318			exit 1
319			;;
320
321	esac
322
323	shift
324done
325
326exit 0
327