Copyright (c) 2017 Peter Tribble
Copyright (c) 2003, Sun Microsystems, Inc. All Rights Reserved.
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
/etc/security/audit_warn [option [arguments]]
The audit_warn utility processes warning or error messages from the audit daemon. When a problem is encountered, the audit daemon, auditd(8) calls audit_warn with the appropriate arguments. The option argument specifies the error type.
The system administrator can specify a list of mail recipients to be notified when an audit_warn situation arises by defining a mail alias called audit_warn in aliases(5). The users that make up the audit_warn alias are typically the audit and root users.
The following options are supported: allhard count
Indicates that the hard limit for all filesystems has been exceeded count times. The default action for this option is to send mail to the audit_warn alias only if the count is 1, and to write a message to the machine console every time. It is recommended that mail not be sent every time as this could result in a the saturation of the file system that contains the mail spool directory.
Indicates that the soft limit for all filesystems has been exceeded. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.
Indicates that someone other than the audit daemon changed the system audit state to something other than AUC_AUDITING. The audit daemon will have exited in this case. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.
Indicates that the hard limit for the file has been exceeded. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.
Indicates that auditing could not be started. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console. Some administrators may prefer to modify audit_warn to reboot the system when this error occurs.
Indicates that an error occurred during execution of the auditd plugin name. The default action for this option is to send mail to the audit_warn alias only if count is 1, and to write a message to the machine console every time. (Separate counts are kept for each error type.) It is recommended that mail not be sent every time as this could result in the saturation of the file system that contains the mail spool directory. The text field provides the detailed error message passed from the plugin. The error field is one of the following strings: load_error
Unable to load the plugin name.
The plugin name is not executing due to a system error such as a lack of resources.
No plugins loaded (including the binary file plugin, audit_binfile(7)) due to configuration errors. The name string is -- to indicate that no plugin name applies.
The plugin name reports it has encountered a temporary failure.
The plugin name reports a failure due to lack of memory.
The plugin name reports it received an invalid input.
The plugin name has reported an error as described in text.
Indicates that the soft limit for filename has been exceeded. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.
Indicates that there was a problem creating a symlink from /var/run/.audit.log to the current audit log file..
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE TYPE ATTRIBUTE VALUE |
Interface Stability Evolving |
The interface stability is evolving. The file content is unstable.
aliases (5), audit.log (5), attributes (7), audit (8), auditd (8)
If the audit policy perzone is set, the /etc/security/audit_warn script for the local zone is used for notifications from the local zone's instance of auditd. If the perzone policy is not set, all auditd errors are generated by the global zone's copy of /etc/security/audit_warn.