comparison usr/src/cmd/audit_warn/audit_warn.sh @ 0:c9caec207d52 b86

Initial porting based on b86
author Koji Uno <koji.uno@sun.com>
date Tue, 02 Jun 2009 18:56:50 +0900
parents
children 1a15d5aaf794
comparison
equal deleted inserted replaced
-1:000000000000 0:c9caec207d52
1 #! /bin/sh
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22 #
23 # ident "@(#)audit_warn.sh 1.10 07/09/04 SMI"
24 #
25 # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
26 # Use is subject to license terms.
27 #
28
29 # This shell script warns the administrator when there are problems or
30 # potential problems with the audit daemon. The default script sends
31 # a message to the machine console in the case where there
32 # is no audit space available. It has comments in a few places where
33 # additional actions might be appropriate (eg. clearing some space).
34 #
35 #---------------------------------------------------------------------------
36 # send mail and generate syslog output
37 #
38 # $MESSAGE and $SUBJECT are set by the caller
39 #
40 # edit this function to omit syslog or mail output.
41 #---------------------------------------------------------------------------
42 send_msg() {
43 MAILER=/usr/bin/mailx
44 SED=/usr/bin/sed
45 LOGCMD="$LOGGER -p daemon.alert"
46
47 ADDRESS=audit_warn # standard alias for audit alerts
48
49 # turn off redirect to /dev/null to see sendmail output
50 /usr/lib/sendmail -bv $ADDRESS > /dev/null
51
52 if [ $? -ne 0 ]
53 then
54 $LOGCMD "The $ADDRESS mail alias is not defined"
55 ADDRESS=root
56 fi
57
58 if [ -z "$COUNT" -o "0$COUNT" -eq 1 ]
59 then
60 echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS
61 fi
62
63 STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"`
64 $LOGCMD $STRIPPEDMSG
65 }
66
67 # If you change this script, script debug should first be done via the
68 # command line, so input errors are output via "echo," but syslog
69 # debug messages are better for testing from auditd since the echo
70 # output would be lost. For testing with auditd, replace
71 # 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'
72
73 LOGGER="/usr/bin/logger"
74 DEBUG_OUT="echo"
75
76 # Check usage
77 if [ "$#" -lt "1" -o "$#" -gt "5" ]
78 then
79 $DEBUG_OUT "Usage: $0 <option> [<args>]"
80 exit 1
81 fi
82
83 # Process args
84 while [ -n "$1" ]
85 do
86
87 SUBJECT="AUDIT DAEMON WARNING ($1)"
88
89 case "$1" in
90
91 "soft" ) # Check soft arg
92 # One audit filesystem has filled to the soft limit
93 # set up in audit_control.
94
95 if [ ! -n "$2" ]
96 then
97 $DEBUG_OUT "$0: Need filename arg with 'soft'!"
98 exit 1
99 else
100 FILE=$2
101 fi
102
103 # Set message
104 MESSAGE="Soft limit exceeded in file $FILE."
105 send_msg
106
107 break
108 ;;
109
110 "allsoft" ) # Check all soft arg
111 # All the audit filesystems have filled to the soft
112 # limit set up in audit_control.
113
114 # Set message
115 MESSAGE="Soft limit exceeded on all filesystems."
116 send_msg
117
118 break
119 ;;
120
121 "hard" ) # Check hard arg
122 # One audit filesystem has filled completely.
123
124 if [ ! -n "$2" ]
125 then
126 $DEBUG_OUT "$0: Need filename arg with 'hard'!"
127 exit 1
128 else
129 FILE=$2
130 fi
131
132 # Set message
133 MESSAGE="Hard limit exceeded in file $FILE."
134 send_msg
135
136 break
137 ;;
138
139 "allhard" ) # Check all hard arg
140 # All the audit filesystems have filled completely.
141 # The audit daemon will remain in a loop sleeping
142 # and checking for space until some space is freed.
143
144 if [ ! -n "$2" ]
145 then
146 $DEBUG_OUT "$0: Need count arg with 'allhard'!"
147 exit 1
148 else
149 COUNT=$2
150 fi
151
152 # Set message
153 MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)"
154
155 send_msg
156
157 # This might be a place to make space in the
158 # audit file systems.
159
160 break
161 ;;
162
163 "ebusy" ) # Check ebusy arg
164 # The audit daemon is already running and can not
165 # be started more than once.
166
167 # Set message
168 MESSAGE="The audit daemon is already running on this system."
169 send_msg
170
171 break
172 ;;
173
174 "tmpfile" ) # Check tempfile arg
175 # The tempfile used by the audit daemon could not
176 # be opened even though it was unlinked.
177 # This error will cause the audit daemon to exit.
178
179 # Set message
180 MESSAGE="The audit daemon can not open audit_tmp.\
181 This implies a serious problem. The audit daemon has exited!"
182
183 send_msg
184
185 break
186 ;;
187
188 "nostart" ) # Check no start arg
189
190 # auditd attempts to set the audit state; if
191 # it fails, it exits with a "nostart" code.
192 # The most likely cause is that the kernel
193 # audit module did not load due to a
194 # configuration error. auditd is not running.
195 #
196 # The audit daemon can not be started until
197 # the error is corrected and the system is
198 # rebooted.
199
200 MESSAGE="audit failed to start because it cannot read or\
201 write the system's audit state. This may be due to a configuration error.\n\n\
202 Must reboot to start auditing!"
203
204 send_msg
205
206 break
207 ;;
208
209 "auditoff" ) # Check audit off arg
210 # Someone besides the audit daemon called the
211 # system call auditon to "turn auditing off"
212 # by setting the state to AUC_NOAUDIT. This
213 # will cause the audit daemon to exit.
214
215 # Set message
216 MESSAGE="Auditing has been turned off unexpectedly."
217 send_msg
218
219 break
220 ;;
221
222 "postsigterm" ) # Check post sigterm arg
223 # While the audit daemon was trying to shutdown
224 # in an orderly fashion (corresponding to audit -t)
225 # it got another signal or an error. Some records
226 # may not have been written.
227
228 # Set message
229 MESSAGE="Received some signal or error while writing\
230 audit records after SIGTERM. Some audit records may have been lost."
231 send_msg
232
233 break
234 ;;
235
236 "getacdir" ) # Check getacdir arg
237 # There is a problem getting the directory list from
238 # /etc/security/audit_control. Auditd is
239 # going to hang in a sleep loop until the file is
240 # fixed.
241
242 if [ ! -n "$2" ]
243 then
244 $DEBUG_OUT "$0: Need count arg with 'getacdir'!"
245 exit 1
246 else
247 COUNT=$2
248 if [ $COUNT -eq 1 ]; then
249 S=""
250 else
251 S="s"
252 fi
253 fi
254
255 # Set message
256 MESSAGE="There is a problem getting the directory\
257 list or plugin list from audit_control(4). The audit daemon will hang
258 until this file is fixed. This message has been displayed $COUNT time$S."
259 send_msg
260 break
261 ;;
262
263 "plugin" ) # Check plugin arg
264
265 # There is a problem loading a plugin or a plugin
266 # has reported a serious error.
267 # Output from the plugin is either blocked or halted.
268
269 if [ ! -n "$2" ]
270 then
271 $DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
272 exit 1
273 else
274 PLUGNAME=$2
275 fi
276
277 if [ ! -n "$3" ]
278 then
279 $DEBUG_OUT "$0: Need error arg with 'plugin'!"
280 exit 1
281 else
282 ERROR=$3
283 fi
284
285 if [ ! -n "$4" ]
286 then
287 $DEBUG_OUT "$0: Need text arg with 'plugin'!"
288 exit 1
289 else
290 TEXT=$4
291 fi
292
293 if [ ! -n "$5" ]
294 then
295 $DEBUG_OUT "$0: Need count arg with 'plugin'!"
296 exit 1
297 else
298 COUNT=$5
299 if [ $COUNT -eq 1 ]; then
300 S=""
301 else
302 S="s"
303 fi
304 fi
305
306 # Set message
307 MESSAGE="The audit daemon has experienced the\
308 following problem with loading or executing plugins:\n\n\
309 $PLUGNAME: $ERROR\n\
310 $TEXT\n\
311 This message has been displayed $COUNT time$S."
312 send_msg
313 break
314 ;;
315
316 * ) # Check other args
317 $DEBUG_OUT "$0: Arg not recognized: $1"
318 exit 1
319 ;;
320
321 esac
322
323 shift
324 done
325
326 exit 0