1#! /bin/sh 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22# 23# Copyright 2010 Sun Microsystems, Inc. All rights reserved. 24# Use is subject to license terms. 25# 26 27# This shell script warns the administrator when there are problems or 28# potential problems with the audit daemon. The default script sends 29# a message to the machine console in the case where there 30# is no audit space available. It has comments in a few places where 31# additional actions might be appropriate (eg. clearing some space). 32# 33#--------------------------------------------------------------------------- 34# send mail and generate syslog output 35# 36# $MESSAGE and $SUBJECT are set by the caller 37# 38# edit this function to omit syslog or mail output. 39#--------------------------------------------------------------------------- 40send_msg() { 41 MAILER=/usr/bin/mailx 42 SED=/usr/bin/sed 43 LOGCMD="$LOGGER -p daemon.alert" 44 45 ADDRESS=audit_warn # standard alias for audit alerts 46 47 # turn off redirect to /dev/null to see sendmail output 48 /usr/lib/sendmail -bv $ADDRESS > /dev/null 49 50 if [ $? -ne 0 ] 51 then 52 $LOGCMD "The $ADDRESS mail alias is not defined" 53 ADDRESS=root 54 fi 55 56 if [ -z "$COUNT" -o "0$COUNT" -eq 1 ] 57 then 58 echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS 59 fi 60 61 STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"` 62 $LOGCMD $STRIPPEDMSG 63} 64 65# If you change this script, script debug should first be done via the 66# command line, so input errors are output via "echo," but syslog 67# debug messages are better for testing from auditd since the echo 68# output would be lost. For testing with auditd, replace 69# 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"' 70 71LOGGER="/usr/bin/logger" 72DEBUG_OUT="echo" 73 74# Check usage 75if [ "$#" -lt "1" -o "$#" -gt "5" ] 76then 77 $DEBUG_OUT "Usage: $0 <option> [<args>]" 78 exit 1 79fi 80 81# Process args 82while [ -n "$1" ] 83do 84 85 SUBJECT="AUDIT DAEMON WARNING ($1)" 86 87 case "$1" in 88 89 "soft" ) # Check soft arg 90 # One audit filesystem has filled to the soft limit 91 # set up in audit_control. 92 93 if [ ! -n "$2" ] 94 then 95 $DEBUG_OUT "$0: Need filename arg with 'soft'!" 96 exit 1 97 else 98 FILE=$2 99 fi 100 101 # Set message 102 MESSAGE="Soft limit exceeded in file $FILE." 103 send_msg 104 105 break 106 ;; 107 108 "allsoft" ) # Check all soft arg 109 # All the audit filesystems have filled to the soft 110 # limit set up in audit_control. 111 112 # Set message 113 MESSAGE="Soft limit exceeded on all filesystems." 114 send_msg 115 116 break 117 ;; 118 119 "hard" ) # Check hard arg 120 # One audit filesystem has filled completely. 121 122 if [ ! -n "$2" ] 123 then 124 $DEBUG_OUT "$0: Need filename arg with 'hard'!" 125 exit 1 126 else 127 FILE=$2 128 fi 129 130 # Set message 131 MESSAGE="Hard limit exceeded in file $FILE." 132 send_msg 133 134 break 135 ;; 136 137 "allhard" ) # Check all hard arg 138 # All the audit filesystems have filled completely. 139 # The audit daemon will remain in a loop sleeping 140 # and checking for space until some space is freed. 141 142 if [ ! -n "$2" ] 143 then 144 $DEBUG_OUT "$0: Need count arg with 'allhard'!" 145 exit 1 146 else 147 COUNT=$2 148 fi 149 150 # Set message 151 MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)" 152 153 send_msg 154 155 # This might be a place to make space in the 156 # audit file systems. 157 158 break 159 ;; 160 161 "ebusy" ) # Check ebusy arg 162 # The audit daemon is already running and can not 163 # be started more than once. 164 165 # Set message 166 MESSAGE="The audit daemon is already running on this system." 167 send_msg 168 169 break 170 ;; 171 172 "tmpfile" ) # Check tmpfile arg 173 # The tmpfile used by the audit daemon (binfile) could 174 # not be opened even unlinked or symlinked. 175 # This error will cause the audit daemon to exit at 176 # start. If it occurs later the audit daemon will 177 # attempt to carry on. 178 179 if [ ! -n "$2" ] 180 then 181 $DEBUG_OUT "$0: Need error string arg with 'tmpfile'!" 182 exit 1 183 else 184 ERROR=$2 185 fi 186 # Set message 187 MESSAGE="The audit daemon is unable to update /var/run, error=$ERROR.\n This implies a serious problem." 188 189 send_msg 190 191 break 192 ;; 193 194 "nostart" ) # Check no start arg 195 196 # auditd attempts to set the audit state; if 197 # it fails, it exits with a "nostart" code. 198 # The most likely cause is that the kernel 199 # audit module did not load due to a 200 # configuration error. auditd is not running. 201 # 202 # The audit daemon can not be started until 203 # the error is corrected and the system is 204 # rebooted. 205 206 MESSAGE="audit failed to start because it cannot read or\ 207 write the system's audit state. This may be due to a configuration error.\n\n\ 208Must reboot to start auditing!" 209 210 send_msg 211 212 break 213 ;; 214 215 "auditoff" ) # Check audit off arg 216 # Someone besides the audit daemon called the 217 # system call auditon to "turn auditing off" 218 # by setting the state to AUC_NOAUDIT. This 219 # will cause the audit daemon to exit. 220 221 # Set message 222 MESSAGE="Auditing has been turned off unexpectedly." 223 send_msg 224 225 break 226 ;; 227 228 "postsigterm" ) # Check post sigterm arg 229 # While the audit daemon was trying to shutdown 230 # in an orderly fashion (corresponding to audit -t) 231 # it got another signal or an error. Some records 232 # may not have been written. 233 234 # Set message 235 MESSAGE="Received some signal or error while writing\ 236 audit records after SIGTERM. Some audit records may have been lost." 237 send_msg 238 239 break 240 ;; 241 242 "getacdir" ) # Check getacdir arg 243 # There is a problem getting the directory list from 244 # /etc/security/audit_control. Auditd is 245 # going to hang in a sleep loop until the file is 246 # fixed. 247 248 if [ ! -n "$2" ] 249 then 250 $DEBUG_OUT "$0: Need count arg with 'getacdir'!" 251 exit 1 252 else 253 COUNT=$2 254 if [ $COUNT -eq 1 ]; then 255 S="" 256 else 257 S="s" 258 fi 259 fi 260 261 # Set message 262 MESSAGE="There is a problem getting the directory\ 263 list or plugin list from audit_control(4). The audit daemon will hang 264 until this file is fixed. This message has been displayed $COUNT time$S." 265 send_msg 266 break 267 ;; 268 269 "plugin" ) # Check plugin arg 270 271 # There is a problem loading a plugin or a plugin 272 # has reported a serious error. 273 # Output from the plugin is either blocked or halted. 274 275 if [ ! -n "$2" ] 276 then 277 $DEBUG_OUT "$0: Need plugin name arg with 'plugin'!" 278 exit 1 279 else 280 PLUGNAME=$2 281 fi 282 283 if [ ! -n "$3" ] 284 then 285 $DEBUG_OUT "$0: Need error arg with 'plugin'!" 286 exit 1 287 else 288 ERROR=$3 289 fi 290 291 if [ ! -n "$4" ] 292 then 293 $DEBUG_OUT "$0: Need text arg with 'plugin'!" 294 exit 1 295 else 296 TEXT=$4 297 fi 298 299 if [ ! -n "$5" ] 300 then 301 $DEBUG_OUT "$0: Need count arg with 'plugin'!" 302 exit 1 303 else 304 COUNT=$5 305 if [ $COUNT -eq 1 ]; then 306 S="" 307 else 308 S="s" 309 fi 310 fi 311 312 # Set message 313 MESSAGE="The audit daemon has experienced the\ 314 following problem with loading or executing plugins:\n\n\ 315$PLUGNAME: $ERROR\n\ 316$TEXT\n\ 317This message has been displayed $COUNT time$S." 318 send_msg 319 break 320 ;; 321 322 * ) # Check other args 323 $DEBUG_OUT "$0: Arg not recognized: $1" 324 exit 1 325 ;; 326 327 esac 328 329 shift 330done 331 332exit 0 333