xref: /titanic_52/usr/src/cmd/audit_warn/audit_warn.sh (revision f89940742f5d14dde79b69b98a414dd7b7f585c7)

#! /bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
#

# This shell script warns the administrator when there are problems or
# potential problems with the audit daemon.  The default script sends
# a message to the machine console in the case where there
# is no audit space available.  It has comments in a few places where
# additional actions might be appropriate (eg. clearing some space).
#
#---------------------------------------------------------------------------
# send mail and generate syslog output
#
# $MESSAGE and $SUBJECT are set by the caller
#
# edit this function to omit syslog or mail output.
#---------------------------------------------------------------------------
send_msg() {
	MAILER=/usr/bin/mailx
	SED=/usr/bin/sed
	LOGCMD="$LOGGER -p daemon.alert"

	ADDRESS=audit_warn		# standard alias for audit alerts

	# turn off redirect to /dev/null to see sendmail output
	/usr/lib/sendmail -bv $ADDRESS > /dev/null

	if [ $? -ne 0 ]
	then
		$LOGCMD "The $ADDRESS mail alias is not defined"
		ADDRESS=root
	fi

	if [ -z "$COUNT" -o "0$COUNT" -eq 1 ]
	then
		echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS
	fi

	STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"`
	$LOGCMD $STRIPPEDMSG
}

# If you change this script, script debug should first be done via the
# command line, so input errors are output via "echo," but syslog
# debug messages are better for testing from auditd since the echo
# output would be lost.  For testing with auditd, replace
# 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'

LOGGER="/usr/bin/logger"
DEBUG_OUT="echo"

# Check usage
if [ "$#" -lt "1" -o "$#" -gt "5" ]
then
	$DEBUG_OUT "Usage: $0 <option> [<args>]"
	exit 1
fi

# Process args
while [ -n "$1" ]
do

	SUBJECT="AUDIT DAEMON WARNING ($1)"

	case "$1" in

	"soft" )	# Check soft arg
			# One audit filesystem has filled to the soft limit
			# that is configured in the audit service.

			if [ ! -n "$2" ]
			then
				$DEBUG_OUT "$0: Need filename arg with 'soft'!"
				exit 1
			else
				FILE=$2
			fi

			# Set message
			MESSAGE="Soft limit exceeded in file $FILE."
			send_msg

			break
			;;

	"allsoft" )	# Check all soft arg
			# All the audit filesystems have filled to the soft
			# limit set up in the audit service configuration.

			# Set message
			MESSAGE="Soft limit exceeded on all filesystems."
			send_msg

			break
			;;

	"hard" )	# Check hard arg
			# One audit filesystem has filled completely.

			if [ ! -n "$2" ]
			then
				$DEBUG_OUT "$0: Need filename arg with 'hard'!"
				exit 1
			else
				FILE=$2
			fi

			# Set message
			MESSAGE="Hard limit exceeded in file $FILE."
			send_msg

			break
			;;

	"allhard" )	# Check all hard arg
			# All the audit filesystems have filled completely.
			# The audit daemon will remain in a loop sleeping
			# and checking for space until some space is freed.

			if [ ! -n "$2" ]
			then
				$DEBUG_OUT "$0: Need count arg with 'allhard'!"
				exit 1
			else
				COUNT=$2
			fi

			# Set message
			MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)"

			send_msg

			# This might be a place to make space in the
			# audit file systems.

			break
			;;

	"ebusy" )	# Check ebusy arg
			# The audit daemon is already running and can not
			# be started more than once.

			# Set message
			MESSAGE="The audit daemon is already running on this system."
			send_msg

			break
			;;

	"tmpfile" )	# Check tmpfile arg
			# The tmpfile used by the audit daemon (binfile) could
			# not be opened even unlinked or symlinked.
			# This error will cause the audit daemon to exit at
			# start.  If it occurs later the audit daemon will
			# attempt to carry on.

			if [ ! -n "$2" ]
			then
				$DEBUG_OUT "$0: Need error string arg with 'tmpfile'!"
				exit 1
			else
				ERROR=$2
			fi
			# Set message
			MESSAGE="The audit daemon is unable to update /var/run, error=$ERROR.\n This implies a serious problem."

			send_msg

			break
			;;

	"nostart" )	# Check no start arg

			# auditd attempts to set the audit state; if
			# it fails, it exits with a "nostart" code.
			# The most likely cause is that the kernel
			# audit module did not load due to a
			# configuration error.  auditd is not running.
			#
			# The audit daemon can not be started until
			# the error is corrected and the system is
			# rebooted.

			MESSAGE="audit failed to start because it cannot read or\
 write the system's audit state. This may be due to a configuration error.\n\n\
Must reboot to start auditing!"

			send_msg

			break
			;;

	"auditoff" )	# Check audit off arg
			# Someone besides the audit daemon called the
			# system call auditon to "turn auditing off"
			# by setting the state to AUC_NOAUDIT.  This
			# will cause the audit daemon to exit.

			# Set message
			MESSAGE="Auditing has been turned off unexpectedly."
			send_msg

			break
			;;

	"postsigterm" )	# Check post sigterm arg
			# While the audit daemon was trying to shutdown
			# in an orderly fashion (corresponding to audit -t)
			# it got another signal or an error.  Some records
			# may not have been written.

			# Set message
			MESSAGE="Received some signal or error while writing\
 audit records after SIGTERM.  Some audit records may have been lost."
			send_msg

			break
			;;

	"plugin" )	# Check plugin arg

			# There is a problem loading a plugin or a plugin
			# has reported a serious error.
			# Output from the plugin is either blocked or halted.

			if [ ! -n "$2" ]
			then
				$DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
				exit 1
			else
				PLUGNAME=$2
			fi

			if [ ! -n "$3" ]
			then
				$DEBUG_OUT "$0: Need error arg with 'plugin'!"
				exit 1
			else
				ERROR=$3
			fi

			if [ ! -n "$4" ]
			then
				$DEBUG_OUT "$0: Need text arg with 'plugin'!"
				exit 1
			else
				TEXT=$4
			fi

			if [ ! -n "$5" ]
			then
				$DEBUG_OUT "$0: Need count arg with 'plugin'!"
				exit 1
			else
				COUNT=$5
				if [ $COUNT -eq 1 ]; then
					S=""
				else
					S="s"
				fi
			fi

			# Set message
			MESSAGE="The audit daemon has experienced the\
 following problem with loading or executing plugins:\n\n\
$PLUGNAME: $ERROR\n\
$TEXT\n\
This message has been displayed $COUNT time$S."
			send_msg
			break
			;;

	* )		# Check other args
			$DEBUG_OUT "$0: Arg not recognized: $1"
			exit 1
			;;

	esac

	shift
done

exit 0