1#! /bin/sh 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22# 23# ident "%Z%%M% %I% %E% SMI" 24# 25# Copyright 2007 Sun Microsystems, Inc. All rights reserved. 26# Use is subject to license terms. 27# 28 29# This shell script warns the administrator when there are problems or 30# potential problems with the audit daemon. The default script sends 31# a message to the machine console in the case where there 32# is no audit space available. It has comments in a few places where 33# additional actions might be appropriate (eg. clearing some space). 34# 35#--------------------------------------------------------------------------- 36# send mail and generate syslog output 37# 38# $MESSAGE and $SUBJECT are set by the caller 39# 40# edit this function to omit syslog or mail output. 41#--------------------------------------------------------------------------- 42send_msg() { 43 MAILER=/usr/bin/mailx 44 SED=/usr/bin/sed 45 LOGCMD="$LOGGER -p daemon.alert" 46 47 ADDRESS=audit_warn # standard alias for audit alerts 48 49 # turn off redirect to /dev/null to see sendmail output 50 /usr/lib/sendmail -bv $ADDRESS > /dev/null 51 52 if [ $? -ne 0 ] 53 then 54 $LOGCMD "The $ADDRESS mail alias is not defined" 55 ADDRESS=root 56 fi 57 58 if [ -z "$COUNT" -o "0$COUNT" -eq 1 ] 59 then 60 echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS 61 fi 62 63 STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"` 64 $LOGCMD $STRIPPEDMSG 65} 66 67# If you change this script, script debug should first be done via the 68# command line, so input errors are output via "echo," but syslog 69# debug messages are better for testing from auditd since the echo 70# output would be lost. For testing with auditd, replace 71# 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"' 72 73LOGGER="/usr/bin/logger" 74DEBUG_OUT="echo" 75 76# Check usage 77if [ "$#" -lt "1" -o "$#" -gt "5" ] 78then 79 $DEBUG_OUT "Usage: $0 <option> [<args>]" 80 exit 1 81fi 82 83# Process args 84while [ -n "$1" ] 85do 86 87 SUBJECT="AUDIT DAEMON WARNING ($1)" 88 89 case "$1" in 90 91 "soft" ) # Check soft arg 92 # One audit filesystem has filled to the soft limit 93 # set up in audit_control. 94 95 if [ ! -n "$2" ] 96 then 97 $DEBUG_OUT "$0: Need filename arg with 'soft'!" 98 exit 1 99 else 100 FILE=$2 101 fi 102 103 # Set message 104 MESSAGE="Soft limit exceeded in file $FILE." 105 send_msg 106 107 break 108 ;; 109 110 "allsoft" ) # Check all soft arg 111 # All the audit filesystems have filled to the soft 112 # limit set up in audit_control. 113 114 # Set message 115 MESSAGE="Soft limit exceeded on all filesystems." 116 send_msg 117 118 break 119 ;; 120 121 "hard" ) # Check hard arg 122 # One audit filesystem has filled completely. 123 124 if [ ! -n "$2" ] 125 then 126 $DEBUG_OUT "$0: Need filename arg with 'hard'!" 127 exit 1 128 else 129 FILE=$2 130 fi 131 132 # Set message 133 MESSAGE="Hard limit exceeded in file $FILE." 134 send_msg 135 136 break 137 ;; 138 139 "allhard" ) # Check all hard arg 140 # All the audit filesystems have filled completely. 141 # The audit daemon will remain in a loop sleeping 142 # and checking for space until some space is freed. 143 144 if [ ! -n "$2" ] 145 then 146 $DEBUG_OUT "$0: Need count arg with 'allhard'!" 147 exit 1 148 else 149 COUNT=$2 150 fi 151 152 # Set message 153 MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)" 154 155 send_msg 156 157 # This might be a place to make space in the 158 # audit file systems. 159 160 break 161 ;; 162 163 "ebusy" ) # Check ebusy arg 164 # The audit daemon is already running and can not 165 # be started more than once. 166 167 # Set message 168 MESSAGE="The audit daemon is already running on this system." 169 send_msg 170 171 break 172 ;; 173 174 "tmpfile" ) # Check tempfile arg 175 # The tempfile used by the audit daemon could not 176 # be opened even though it was unlinked. 177 # This error will cause the audit daemon to exit. 178 179 # Set message 180 MESSAGE="The audit daemon can not open audit_tmp.\ 181 This implies a serious problem. The audit daemon has exited!" 182 183 send_msg 184 185 break 186 ;; 187 188 "nostart" ) # Check no start arg 189 190 # auditd attempts to set the audit state; if 191 # it fails, it exits with a "nostart" code. 192 # The most likely cause is that the kernel 193 # audit module did not load due to a 194 # configuration error. auditd is not running. 195 # 196 # The audit daemon can not be started until 197 # the error is corrected and the system is 198 # rebooted. 199 200 MESSAGE="audit failed to start because it cannot read or\ 201 write the system's audit state. This may be due to a configuration error.\n\n\ 202Must reboot to start auditing!" 203 204 send_msg 205 206 break 207 ;; 208 209 "auditoff" ) # Check audit off arg 210 # Someone besides the audit daemon called the 211 # system call auditon to "turn auditing off" 212 # by setting the state to AUC_NOAUDIT. This 213 # will cause the audit daemon to exit. 214 215 # Set message 216 MESSAGE="Auditing has been turned off unexpectedly." 217 send_msg 218 219 break 220 ;; 221 222 "postsigterm" ) # Check post sigterm arg 223 # While the audit daemon was trying to shutdown 224 # in an orderly fashion (corresponding to audit -t) 225 # it got another signal or an error. Some records 226 # may not have been written. 227 228 # Set message 229 MESSAGE="Received some signal or error while writing\ 230 audit records after SIGTERM. Some audit records may have been lost." 231 send_msg 232 233 break 234 ;; 235 236 "getacdir" ) # Check getacdir arg 237 # There is a problem getting the directory list from 238 # /etc/security/audit_control. Auditd is 239 # going to hang in a sleep loop until the file is 240 # fixed. 241 242 if [ ! -n "$2" ] 243 then 244 $DEBUG_OUT "$0: Need count arg with 'getacdir'!" 245 exit 1 246 else 247 COUNT=$2 248 if [ $COUNT -eq 1 ]; then 249 S="" 250 else 251 S="s" 252 fi 253 fi 254 255 # Set message 256 MESSAGE="There is a problem getting the directory\ 257 list or plugin list from audit_control(4). The audit daemon will hang 258 until this file is fixed. This message has been displayed $COUNT time$S." 259 send_msg 260 break 261 ;; 262 263 "plugin" ) # Check plugin arg 264 265 # There is a problem loading a plugin or a plugin 266 # has reported a serious error. 267 # Output from the plugin is either blocked or halted. 268 269 if [ ! -n "$2" ] 270 then 271 $DEBUG_OUT "$0: Need plugin name arg with 'plugin'!" 272 exit 1 273 else 274 PLUGNAME=$2 275 fi 276 277 if [ ! -n "$3" ] 278 then 279 $DEBUG_OUT "$0: Need error arg with 'plugin'!" 280 exit 1 281 else 282 ERROR=$3 283 fi 284 285 if [ ! -n "$4" ] 286 then 287 $DEBUG_OUT "$0: Need text arg with 'plugin'!" 288 exit 1 289 else 290 TEXT=$4 291 fi 292 293 if [ ! -n "$5" ] 294 then 295 $DEBUG_OUT "$0: Need count arg with 'plugin'!" 296 exit 1 297 else 298 COUNT=$5 299 if [ $COUNT -eq 1 ]; then 300 S="" 301 else 302 S="s" 303 fi 304 fi 305 306 # Set message 307 MESSAGE="The audit daemon has experienced the\ 308 following problem with loading or executing plugins:\n\n\ 309$PLUGNAME: $ERROR\n\ 310$TEXT\n\ 311This message has been displayed $COUNT time$S." 312 send_msg 313 break 314 ;; 315 316 * ) # Check other args 317 $DEBUG_OUT "$0: Arg not recognized: $1" 318 exit 1 319 ;; 320 321 esac 322 323 shift 324done 325 326exit 0 327