1#! /bin/sh 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License, Version 1.0 only 7# (the "License"). You may not use this file except in compliance 8# with the License. 9# 10# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 11# or http://www.opensolaris.org/os/licensing. 12# See the License for the specific language governing permissions 13# and limitations under the License. 14# 15# When distributing Covered Code, include this CDDL HEADER in each 16# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 17# If applicable, add the following below this CDDL HEADER, with the 18# fields enclosed by brackets "[]" replaced with your own identifying 19# information: Portions Copyright [yyyy] [name of copyright owner] 20# 21# CDDL HEADER END 22# 23# 24# ident "%Z%%M% %I% %E% SMI" 25# 26# Copyright 2003 Sun Microsystems, Inc. All rights reserved. 27# Use is subject to license terms. 28# 29 30# This shell script warns the administrator when there are problems or 31# potential problems with the audit daemon. The default script sends 32# a message to the machine console in the case where there 33# is no audit space available. It has comments in a few places where 34# additional actions might be appropriate (eg. clearing some space). 35# 36#--------------------------------------------------------------------------- 37# send mail and generate syslog output 38# 39# $MESSAGE and $SUBJECT are set by the caller 40# 41# edit this function to omit syslog or mail output. 42#--------------------------------------------------------------------------- 43send_msg() { 44 MAILER=/usr/bin/mailx 45 SED=/usr/bin/sed 46 LOGCMD="$LOGGER -p daemon.alert" 47 48 ADDRESS=audit_warn # standard alias for audit alerts 49 50 # turn off redirect to /dev/null to see sendmail output 51 /usr/lib/sendmail -bv $ADDRESS > /dev/null 52 53 if [ $? -ne 0 ] 54 then 55 $LOGCMD "The $ADDRESS mail alias is not defined" 56 ADDRESS=root 57 fi 58 59 if [ -z "$COUNT" -o "0$COUNT" -eq 1 ] 60 then 61 echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS 62 fi 63 64 STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"` 65 $LOGCMD $STRIPPEDMSG 66} 67 68# If you change this script, script debug should first be done via the 69# command line, so input errors are output via "echo," but syslog 70# debug messages are better for testing from auditd since the echo 71# output would be lost. For testing with auditd, replace 72# 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"' 73 74LOGGER="/usr/bin/logger" 75DEBUG_OUT="echo" 76 77# Check usage 78if [ "$#" -lt "1" -o "$#" -gt "5" ] 79then 80 $DEBUG_OUT "Usage: $0 <option> [<args>]" 81 exit 1 82fi 83 84# Process args 85while [ -n "$1" ] 86do 87 88 SUBJECT="AUDIT DAEMON WARNING ($1)" 89 90 case "$1" in 91 92 "soft" ) # Check soft arg 93 # One audit filesystem has filled to the soft limit 94 # set up in audit_control. 95 96 if [ ! -n "$2" ] 97 then 98 $DEBUG_OUT "$0: Need filename arg with 'soft'!" 99 exit 1 100 else 101 FILE=$2 102 fi 103 104 # Set message 105 MESSAGE="Soft limit exceeded in file $FILE." 106 send_msg 107 108 break 109 ;; 110 111 "allsoft" ) # Check all soft arg 112 # All the audit filesystems have filled to the soft 113 # limit set up in audit_control. 114 115 # Set message 116 MESSAGE="Soft limit exceeded on all filesystems." 117 send_msg 118 119 break 120 ;; 121 122 "hard" ) # Check hard arg 123 # One audit filesystem has filled completely. 124 125 if [ ! -n "$2" ] 126 then 127 $DEBUG_OUT "$0: Need filename arg with 'hard'!" 128 exit 1 129 else 130 FILE=$2 131 fi 132 133 # Set message 134 MESSAGE="Hard limit exceeded in file $FILE." 135 send_msg 136 137 break 138 ;; 139 140 "allhard" ) # Check all hard arg 141 # All the audit filesystems have filled completely. 142 # The audit daemon will remain in a loop sleeping 143 # and checking for space until some space is freed. 144 145 if [ ! -n "$2" ] 146 then 147 $DEBUG_OUT "$0: Need count arg with 'allhard'!" 148 exit 1 149 else 150 COUNT=$2 151 fi 152 153 # Set message 154 MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)" 155 156 send_msg 157 158 # This might be a place to make space in the 159 # audit file systems. 160 161 break 162 ;; 163 164 "ebusy" ) # Check ebusy arg 165 # The audit daemon is already running and can not 166 # be started more than once. 167 168 # Set message 169 MESSAGE="The audit daemon is already running on this system." 170 send_msg 171 172 break 173 ;; 174 175 "tmpfile" ) # Check tempfile arg 176 # The tempfile used by the audit daemon could not 177 # be opened even though it was unlinked. 178 # This error will cause the audit daemon to exit. 179 180 # Set message 181 MESSAGE="The audit daemon can not open audit_tmp.\ 182 This implies a serious problem. The audit daemon has exited!" 183 184 send_msg 185 186 break 187 ;; 188 189 "nostart" ) # Check no start arg 190 191 # auditd attempts to set the audit state; if 192 # it fails, it exits with a "nostart" code. 193 # The most likely cause is that the kernel 194 # audit module did not load due to a 195 # configuration error. auditd is not running. 196 # 197 # The audit daemon can not be started until 198 # the error is corrected and the system is 199 # rebooted. 200 201 MESSAGE="audit failed to start because it cannot read or\ 202 write the system's audit state. This may be due to a configuration error.\n\n\ 203Must reboot to start auditing!" 204 205 send_msg 206 207 break 208 ;; 209 210 "auditoff" ) # Check audit off arg 211 # Someone besides the audit daemon called the 212 # system call auditon to "turn auditing off" 213 # by setting the state to AUC_NOAUDIT. This 214 # will cause the audit daemon to exit. 215 216 # Set message 217 MESSAGE="Auditing has been turned off unexpectedly." 218 send_msg 219 220 break 221 ;; 222 223 "postsigterm" ) # Check post sigterm arg 224 # While the audit daemon was trying to shutdown 225 # in an orderly fashion (corresponding to audit -t) 226 # it got another signal or an error. Some records 227 # may not have been written. 228 229 # Set message 230 MESSAGE="Received some signal or error while writing\ 231 audit records after SIGTERM. Some audit records may have been lost." 232 send_msg 233 234 break 235 ;; 236 237 "getacdir" ) # Check getacdir arg 238 # There is a problem getting the directory list from 239 # /etc/security/audit_control. Auditd is 240 # going to hang in a sleep loop until the file is 241 # fixed. 242 243 if [ ! -n "$2" ] 244 then 245 $DEBUG_OUT "$0: Need count arg with 'getacdir'!" 246 exit 1 247 else 248 COUNT=$2 249 fi 250 251 # Set message 252 MESSAGE="There is a problem getting the directory\ 253 list from audit_control. The audit daemon will hang until this file is\ 254 fixed. This message has been displayed $COUNT times." 255 send_msg 256 break 257 ;; 258 259 "plugin" ) # Check plugin arg 260 261 # There is a problem loading a plugin or a plugin 262 # has reported a serious error. 263 # Output from the plugin is either blocked or halted. 264 265 if [ ! -n "$2" ] 266 then 267 $DEBUG_OUT "$0: Need plugin name arg with 'plugin'!" 268 exit 1 269 else 270 PLUGNAME=$2 271 fi 272 273 if [ ! -n "$3" ] 274 then 275 $DEBUG_OUT "$0: Need error arg with 'plugin'!" 276 exit 1 277 else 278 ERROR=$3 279 fi 280 281 if [ ! -n "$4" ] 282 then 283 $DEBUG_OUT "$0: Need text arg with 'plugin'!" 284 exit 1 285 else 286 TEXT=$4 287 fi 288 289 if [ ! -n "$5" ] 290 then 291 $DEBUG_OUT "$0: Need count arg with 'plugin'!" 292 exit 1 293 else 294 COUNT=$5 295 fi 296 297 # Set message 298 MESSAGE="The audit daemon has experienced the\ 299 following problem with loading or executing plugins:\n\n\ 300$PLUGNAME: $ERROR\n\ 301$TEXT\n\ 302This message has been displayed $COUNT times." 303 send_msg 304 break 305 ;; 306 307 * ) # Check other args 308 $DEBUG_OUT "$0: Arg not recognized: $1" 309 exit 1 310 ;; 311 312 esac 313 314 shift 315done 316 317exit 0 318