xref: /titanic_41/usr/src/cmd/audit_warn/audit_warn.sh (revision 0db3240d392634cfff2f95fb6da34b56b8dc574f) 
1#! /bin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24# Use is subject to license terms.
25#
26
27# This shell script warns the administrator when there are problems or
28# potential problems with the audit daemon.  The default script sends
29# a message to the machine console in the case where there
30# is no audit space available.  It has comments in a few places where
31# additional actions might be appropriate (eg. clearing some space).
32#
33#---------------------------------------------------------------------------
34# send mail and generate syslog output
35#
36# $MESSAGE and $SUBJECT are set by the caller
37#
38# edit this function to omit syslog or mail output.
39#---------------------------------------------------------------------------
40send_msg() {
41	MAILER=/usr/bin/mailx
42	SED=/usr/bin/sed
43	LOGCMD="$LOGGER -p daemon.alert"
44
45	ADDRESS=audit_warn		# standard alias for audit alerts
46
47	# turn off redirect to /dev/null to see sendmail output
48	/usr/lib/sendmail -bv $ADDRESS > /dev/null
49
50	if [ $? -ne 0 ]
51	then
52		$LOGCMD "The $ADDRESS mail alias is not defined"
53		ADDRESS=root
54	fi
55
56	if [ -z "$COUNT" -o "0$COUNT" -eq 1 ]
57	then
58		echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS
59	fi
60
61	STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"`
62	$LOGCMD $STRIPPEDMSG
63}
64
65# If you change this script, script debug should first be done via the
66# command line, so input errors are output via "echo," but syslog
67# debug messages are better for testing from auditd since the echo
68# output would be lost.  For testing with auditd, replace
69# 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'
70
71LOGGER="/usr/bin/logger"
72DEBUG_OUT="echo"
73
74# Check usage
75if [ "$#" -lt "1" -o "$#" -gt "5" ]
76then
77	$DEBUG_OUT "Usage: $0 <option> [<args>]"
78	exit 1
79fi
80
81# Process args
82while [ -n "$1" ]
83do
84
85	SUBJECT="AUDIT DAEMON WARNING ($1)"
86
87	case "$1" in
88
89	"soft" )	# Check soft arg
90			# One audit filesystem has filled to the soft limit
91			# set up in audit_control.
92
93			if [ ! -n "$2" ]
94			then
95				$DEBUG_OUT "$0: Need filename arg with 'soft'!"
96				exit 1
97			else
98				FILE=$2
99			fi
100
101			# Set message
102			MESSAGE="Soft limit exceeded in file $FILE."
103			send_msg
104
105			break
106			;;
107
108	"allsoft" )	# Check all soft arg
109			# All the audit filesystems have filled to the soft
110			# limit set up in audit_control.
111
112			# Set message
113			MESSAGE="Soft limit exceeded on all filesystems."
114			send_msg
115
116			break
117			;;
118
119	"hard" )	# Check hard arg
120			# One audit filesystem has filled completely.
121
122			if [ ! -n "$2" ]
123			then
124				$DEBUG_OUT "$0: Need filename arg with 'hard'!"
125				exit 1
126			else
127				FILE=$2
128			fi
129
130			# Set message
131			MESSAGE="Hard limit exceeded in file $FILE."
132			send_msg
133
134			break
135			;;
136
137	"allhard" )	# Check all hard arg
138			# All the audit filesystems have filled completely.
139			# The audit daemon will remain in a loop sleeping
140			# and checking for space until some space is freed.
141
142			if [ ! -n "$2" ]
143			then
144				$DEBUG_OUT "$0: Need count arg with 'allhard'!"
145				exit 1
146			else
147				COUNT=$2
148			fi
149
150			# Set message
151			MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)"
152
153			send_msg
154
155			# This might be a place to make space in the
156			# audit file systems.
157
158			break
159			;;
160
161	"ebusy" )	# Check ebusy arg
162			# The audit daemon is already running and can not
163			# be started more than once.
164
165			# Set message
166			MESSAGE="The audit daemon is already running on this system."
167			send_msg
168
169			break
170			;;
171
172	"tmpfile" )	# Check tmpfile arg
173			# The tmpfile used by the audit daemon (binfile) could
174			# not be opened even unlinked or symlinked.
175			# This error will cause the audit daemon to exit at
176			# start.  If it occurs later the audit daemon will
177			# attempt to carry on.
178
179			if [ ! -n "$2" ]
180			then
181				$DEBUG_OUT "$0: Need error string arg with 'tmpfile'!"
182				exit 1
183			else
184				ERROR=$2
185			fi
186			# Set message
187			MESSAGE="The audit daemon is unable to update /var/run, error=$ERROR.\n This implies a serious problem."
188
189			send_msg
190
191			break
192			;;
193
194	"nostart" )	# Check no start arg
195
196			# auditd attempts to set the audit state; if
197			# it fails, it exits with a "nostart" code.
198			# The most likely cause is that the kernel
199			# audit module did not load due to a
200			# configuration error.  auditd is not running.
201			#
202			# The audit daemon can not be started until
203			# the error is corrected and the system is
204			# rebooted.
205
206			MESSAGE="audit failed to start because it cannot read or\
207 write the system's audit state. This may be due to a configuration error.\n\n\
208Must reboot to start auditing!"
209
210			send_msg
211
212			break
213			;;
214
215	"auditoff" )	# Check audit off arg
216			# Someone besides the audit daemon called the
217			# system call auditon to "turn auditing off"
218			# by setting the state to AUC_NOAUDIT.  This
219			# will cause the audit daemon to exit.
220
221			# Set message
222			MESSAGE="Auditing has been turned off unexpectedly."
223			send_msg
224
225			break
226			;;
227
228	"postsigterm" )	# Check post sigterm arg
229			# While the audit daemon was trying to shutdown
230			# in an orderly fashion (corresponding to audit -t)
231			# it got another signal or an error.  Some records
232			# may not have been written.
233
234			# Set message
235			MESSAGE="Received some signal or error while writing\
236 audit records after SIGTERM.  Some audit records may have been lost."
237			send_msg
238
239			break
240			;;
241
242	"getacdir" )	# Check getacdir arg
243			# There is a problem getting the directory list from
244			# /etc/security/audit_control.  Auditd is
245			# going to hang in a sleep loop until the file is
246			# fixed.
247
248			if [ ! -n "$2" ]
249			then
250				$DEBUG_OUT "$0: Need count arg with 'getacdir'!"
251				exit 1
252			else
253				COUNT=$2
254				if [ $COUNT -eq 1 ]; then
255					S=""
256				else
257					S="s"
258				fi
259			fi
260
261			# Set message
262			MESSAGE="There is a problem getting the directory\
263 list or plugin list from audit_control(4).  The audit daemon will hang
264 until this file is fixed.  This message has been displayed $COUNT time$S."
265			send_msg
266			break
267			;;
268
269	"plugin" )	# Check plugin arg
270
271			# There is a problem loading a plugin or a plugin
272			# has reported a serious error.
273			# Output from the plugin is either blocked or halted.
274
275			if [ ! -n "$2" ]
276			then
277				$DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
278				exit 1
279			else
280				PLUGNAME=$2
281			fi
282
283			if [ ! -n "$3" ]
284			then
285				$DEBUG_OUT "$0: Need error arg with 'plugin'!"
286				exit 1
287			else
288				ERROR=$3
289			fi
290
291			if [ ! -n "$4" ]
292			then
293				$DEBUG_OUT "$0: Need text arg with 'plugin'!"
294				exit 1
295			else
296				TEXT=$4
297			fi
298
299			if [ ! -n "$5" ]
300			then
301				$DEBUG_OUT "$0: Need count arg with 'plugin'!"
302				exit 1
303			else
304				COUNT=$5
305				if [ $COUNT -eq 1 ]; then
306					S=""
307				else
308					S="s"
309				fi
310			fi
311
312			# Set message
313			MESSAGE="The audit daemon has experienced the\
314 following problem with loading or executing plugins:\n\n\
315$PLUGNAME: $ERROR\n\
316$TEXT\n\
317This message has been displayed $COUNT time$S."
318			send_msg
319			break
320			;;
321
322	* )		# Check other args
323			$DEBUG_OUT "$0: Arg not recognized: $1"
324			exit 1
325			;;
326
327	esac
328
329	shift
330done
331
332exit 0
333