Home | History | Annotate | Download | only in audit_warn
      1 #! /bin/sh
      2 #
      3 # CDDL HEADER START
      4 #
      5 # The contents of this file are subject to the terms of the
      6 # Common Development and Distribution License (the "License").
      7 # You may not use this file except in compliance with the License.
      8 #
      9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
     10 # or http://www.opensolaris.org/os/licensing.
     11 # See the License for the specific language governing permissions
     12 # and limitations under the License.
     13 #
     14 # When distributing Covered Code, include this CDDL HEADER in each
     15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     16 # If applicable, add the following below this CDDL HEADER, with the
     17 # fields enclosed by brackets "[]" replaced with your own identifying
     18 # information: Portions Copyright [yyyy] [name of copyright owner]
     19 #
     20 # CDDL HEADER END
     21 #
     22 #
     23 # ident	"%Z%%M%	%I%	%E% SMI"
     24 #
     25 # Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
     26 # Use is subject to license terms.
     27 #
     28 
     29 # This shell script warns the administrator when there are problems or
     30 # potential problems with the audit daemon.  The default script sends
     31 # a message to the machine console in the case where there
     32 # is no audit space available.  It has comments in a few places where
     33 # additional actions might be appropriate (eg. clearing some space).
     34 #
     35 #---------------------------------------------------------------------------
     36 # send mail and generate syslog output
     37 #
     38 # $MESSAGE and $SUBJECT are set by the caller
     39 #
     40 # edit this function to omit syslog or mail output.
     41 #---------------------------------------------------------------------------
     42 send_msg() {
     43 	MAILER=/usr/bin/mailx
     44 	SED=/usr/bin/sed
     45 	LOGCMD="$LOGGER -p daemon.alert"
     46 
     47 	ADDRESS=audit_warn		# standard alias for audit alerts
     48 
     49 	# turn off redirect to /dev/null to see sendmail output
     50 	/usr/lib/sendmail -bv $ADDRESS > /dev/null
     51 
     52 	if [ $? -ne 0 ]
     53 	then
     54 		$LOGCMD "The $ADDRESS mail alias is not defined"
     55 		ADDRESS=root
     56 	fi
     57 
     58 	if [ -z "$COUNT" -o "0$COUNT" -eq 1 ]
     59 	then
     60 		echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS
     61 	fi
     62 
     63 	STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"`
     64 	$LOGCMD $STRIPPEDMSG
     65 }
     66 
     67 # If you change this script, script debug should first be done via the
     68 # command line, so input errors are output via "echo," but syslog
     69 # debug messages are better for testing from auditd since the echo
     70 # output would be lost.  For testing with auditd, replace
     71 # 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'
     72 
     73 LOGGER="/usr/bin/logger"
     74 DEBUG_OUT="echo"
     75 
     76 # Check usage
     77 if [ "$#" -lt "1" -o "$#" -gt "5" ]
     78 then
     79 	$DEBUG_OUT "Usage: $0 <option> [<args>]"
     80 	exit 1
     81 fi
     82 
     83 # Process args
     84 while [ -n "$1" ]
     85 do
     86 
     87 	SUBJECT="AUDIT DAEMON WARNING ($1)"
     88 
     89 	case "$1" in 
     90 
     91 	"soft" )	# Check soft arg
     92 			# One audit filesystem has filled to the soft limit
     93 			# set up in audit_control.
     94 
     95 			if [ ! -n "$2" ]
     96 			then
     97 				$DEBUG_OUT "$0: Need filename arg with 'soft'!"
     98 				exit 1
     99 			else
    100 				FILE=$2
    101 			fi
    102 
    103 			# Set message
    104 			MESSAGE="Soft limit exceeded in file $FILE."
    105 			send_msg
    106 
    107 			break
    108 			;;
    109 
    110 	"allsoft" )	# Check all soft arg
    111 			# All the audit filesystems have filled to the soft
    112 			# limit set up in audit_control.
    113 
    114 			# Set message
    115 			MESSAGE="Soft limit exceeded on all filesystems."
    116 			send_msg
    117 
    118 			break
    119 			;;
    120 
    121 	"hard" )	# Check hard arg
    122 			# One audit filesystem has filled completely.
    123 
    124 			if [ ! -n "$2" ]
    125 			then
    126 				$DEBUG_OUT "$0: Need filename arg with 'hard'!"
    127 				exit 1
    128 			else
    129 				FILE=$2
    130 			fi
    131 
    132 			# Set message
    133 			MESSAGE="Hard limit exceeded in file $FILE."
    134 			send_msg
    135 
    136 			break
    137 			;;
    138 
    139 	"allhard" )	# Check all hard arg
    140 			# All the audit filesystems have filled completely.
    141 			# The audit daemon will remain in a loop sleeping
    142 			# and checking for space until some space is freed.
    143 
    144 			if [ ! -n "$2" ]
    145 			then
    146 				$DEBUG_OUT "$0: Need count arg with 'allhard'!"
    147 				exit 1
    148 			else
    149 				COUNT=$2
    150 			fi
    151 
    152 			# Set message
    153 			MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)"
    154 
    155 			send_msg
    156 
    157 			# This might be a place to make space in the
    158 			# audit file systems.
    159 
    160 			break
    161 			;;
    162 
    163 	"ebusy" )	# Check ebusy arg
    164 			# The audit daemon is already running and can not
    165 			# be started more than once.
    166 
    167 			# Set message
    168 			MESSAGE="The audit daemon is already running on this system."
    169 			send_msg
    170 
    171 			break
    172 			;;
    173 
    174 	"tmpfile" )	# Check tempfile arg
    175 			# The tempfile used by the audit daemon could not
    176 			# be opened even though it was unlinked.
    177 			# This error will cause the audit daemon to exit.
    178 
    179 			# Set message
    180 			MESSAGE="The audit daemon can not open audit_tmp.\
    181   This implies a serious problem.  The audit daemon has exited!"
    182 
    183 			send_msg
    184 
    185 			break
    186 			;;
    187 
    188 	"nostart" )	# Check no start arg
    189 
    190 			# auditd attempts to set the audit state; if
    191 			# it fails, it exits with a "nostart" code.
    192 			# The most likely cause is that the kernel
    193 			# audit module did not load due to a
    194 			# configuration error.  auditd is not running.
    195 			#
    196 			# The audit daemon can not be started until
    197 			# the error is corrected and the system is
    198 			# rebooted.
    199 
    200 			MESSAGE="audit failed to start because it cannot read or\
    201  write the system's audit state. This may be due to a configuration error.\n\n\
    202 Must reboot to start auditing!"
    203 
    204 			send_msg
    205 
    206 			break
    207 			;;
    208 
    209 	"auditoff" )	# Check audit off arg
    210 			# Someone besides the audit daemon called the
    211 			# system call auditon to "turn auditing off"
    212 			# by setting the state to AUC_NOAUDIT.  This
    213 			# will cause the audit daemon to exit.
    214 
    215 			# Set message
    216 			MESSAGE="Auditing has been turned off unexpectedly."
    217 			send_msg
    218 
    219 			break
    220 			;;
    221 
    222 	"postsigterm" )	# Check post sigterm arg
    223 			# While the audit daemon was trying to shutdown
    224 			# in an orderly fashion (corresponding to audit -t)
    225 			# it got another signal or an error.  Some records
    226 			# may not have been written.
    227 
    228 			# Set message
    229 			MESSAGE="Received some signal or error while writing\
    230  audit records after SIGTERM.  Some audit records may have been lost."
    231 			send_msg
    232 
    233 			break
    234 			;;
    235 
    236 	"getacdir" )	# Check getacdir arg
    237 			# There is a problem getting the directory list from
    238 			# /etc/security/audit_control.  Auditd is
    239 			# going to hang in a sleep loop until the file is
    240 			# fixed.
    241 
    242 			if [ ! -n "$2" ]
    243 			then
    244 				$DEBUG_OUT "$0: Need count arg with 'getacdir'!"
    245 				exit 1
    246 			else
    247 				COUNT=$2
    248 				if [ $COUNT -eq 1 ]; then
    249 					S=""
    250 				else
    251 					S="s"
    252 				fi
    253 			fi
    254 
    255 			# Set message
    256 			MESSAGE="There is a problem getting the directory\
    257  list or plugin list from audit_control(4).  The audit daemon will hang
    258  until this file is fixed.  This message has been displayed $COUNT time$S."
    259 			send_msg
    260 			break
    261 			;;
    262 
    263 	"plugin" )	# Check plugin arg
    264 
    265 			# There is a problem loading a plugin or a plugin
    266 			# has reported a serious error.
    267 			# Output from the plugin is either blocked or halted.
    268 
    269 			if [ ! -n "$2" ]
    270 			then
    271 				$DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
    272 				exit 1
    273 			else
    274 				PLUGNAME=$2
    275 			fi
    276 
    277 			if [ ! -n "$3" ]
    278 			then
    279 				$DEBUG_OUT "$0: Need error arg with 'plugin'!"
    280 				exit 1
    281 			else
    282 				ERROR=$3
    283 			fi
    284 
    285 			if [ ! -n "$4" ]
    286 			then
    287 				$DEBUG_OUT "$0: Need text arg with 'plugin'!"
    288 				exit 1
    289 			else
    290 				TEXT=$4
    291 			fi
    292 
    293 			if [ ! -n "$5" ]
    294 			then
    295 				$DEBUG_OUT "$0: Need count arg with 'plugin'!"
    296 				exit 1
    297 			else
    298 				COUNT=$5
    299 				if [ $COUNT -eq 1 ]; then
    300 					S=""
    301 				else
    302 					S="s"
    303 				fi
    304 			fi
    305 
    306 			# Set message
    307 			MESSAGE="The audit daemon has experienced the\
    308  following problem with loading or executing plugins:\n\n\
    309 $PLUGNAME: $ERROR\n\
    310 $TEXT\n\
    311 This message has been displayed $COUNT time$S."
    312 			send_msg
    313 			break
    314 			;;
    315 	
    316 	* )		# Check other args
    317 			$DEBUG_OUT "$0: Arg not recognized: $1"
    318 			exit 1
    319 			;;
    320 
    321 	esac
    322 
    323 	shift
    324 done
    325 
    326 exit 0
    327