1#! /bin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22#
23# Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24#
25
26# This shell script warns the administrator when there are problems or
27# potential problems with the audit daemon.  The default script sends
28# a message to the machine console in the case where there
29# is no audit space available.  It has comments in a few places where
30# additional actions might be appropriate (eg. clearing some space).
31#
32#---------------------------------------------------------------------------
33# send mail and generate syslog output
34#
35# $MESSAGE and $SUBJECT are set by the caller
36#
37# edit this function to omit syslog or mail output.
38#---------------------------------------------------------------------------
39send_msg() {
40	MAILER=/usr/bin/mailx
41	SED=/usr/bin/sed
42	LOGCMD="$LOGGER -p daemon.alert"
43
44	ADDRESS=audit_warn		# standard alias for audit alerts
45
46	# turn off redirect to /dev/null to see sendmail output
47	/usr/lib/sendmail -bv $ADDRESS > /dev/null
48
49	if [ $? -ne 0 ]
50	then
51		$LOGCMD "The $ADDRESS mail alias is not defined"
52		ADDRESS=root
53	fi
54
55	if [ -z "$COUNT" -o "0$COUNT" -eq 1 ]
56	then
57		echo "$0: $MESSAGE" | $MAILER -s "$SUBJECT" $ADDRESS
58	fi
59
60	STRIPPEDMSG=`echo "$MESSAGE" | $SED -e "s/\n/ /g"`
61	$LOGCMD $STRIPPEDMSG
62}
63
64# If you change this script, script debug should first be done via the
65# command line, so input errors are output via "echo," but syslog
66# debug messages are better for testing from auditd since the echo
67# output would be lost.  For testing with auditd, replace
68# 'DEBUG_OUT="echo"' with 'DEBUG_OUT="$LOGGER -p daemon.debug"'
69
70LOGGER="/usr/bin/logger"
71DEBUG_OUT="echo"
72
73# Check usage
74if [ "$#" -lt "1" -o "$#" -gt "5" ]
75then
76	$DEBUG_OUT "Usage: $0 <option> [<args>]"
77	exit 1
78fi
79
80# Process args
81while [ -n "$1" ]
82do
83
84	SUBJECT="AUDIT DAEMON WARNING ($1)"
85
86	case "$1" in
87
88	"soft" )	# Check soft arg
89			# One audit filesystem has filled to the soft limit
90			# that is configured in the audit service.
91
92			if [ ! -n "$2" ]
93			then
94				$DEBUG_OUT "$0: Need filename arg with 'soft'!"
95				exit 1
96			else
97				FILE=$2
98			fi
99
100			# Set message
101			MESSAGE="Soft limit exceeded in file $FILE."
102			send_msg
103
104			break
105			;;
106
107	"allsoft" )	# Check all soft arg
108			# All the audit filesystems have filled to the soft
109			# limit set up in the audit service configuration.
110
111			# Set message
112			MESSAGE="Soft limit exceeded on all filesystems."
113			send_msg
114
115			break
116			;;
117
118	"hard" )	# Check hard arg
119			# One audit filesystem has filled completely.
120
121			if [ ! -n "$2" ]
122			then
123				$DEBUG_OUT "$0: Need filename arg with 'hard'!"
124				exit 1
125			else
126				FILE=$2
127			fi
128
129			# Set message
130			MESSAGE="Hard limit exceeded in file $FILE."
131			send_msg
132
133			break
134			;;
135
136	"allhard" )	# Check all hard arg
137			# All the audit filesystems have filled completely.
138			# The audit daemon will remain in a loop sleeping
139			# and checking for space until some space is freed.
140
141			if [ ! -n "$2" ]
142			then
143				$DEBUG_OUT "$0: Need count arg with 'allhard'!"
144				exit 1
145			else
146				COUNT=$2
147			fi
148
149			# Set message
150			MESSAGE="Hard limit exceeded on all filesystems. (count=$COUNT)"
151
152			send_msg
153
154			# This might be a place to make space in the
155			# audit file systems.
156
157			break
158			;;
159
160	"ebusy" )	# Check ebusy arg
161			# The audit daemon is already running and can not
162			# be started more than once.
163
164			# Set message
165			MESSAGE="The audit daemon is already running on this system."
166			send_msg
167
168			break
169			;;
170
171	"tmpfile" )	# Check tmpfile arg
172			# The tmpfile used by the audit daemon (binfile) could
173			# not be opened even unlinked or symlinked.
174			# This error will cause the audit daemon to exit at
175			# start.  If it occurs later the audit daemon will
176			# attempt to carry on.
177
178			if [ ! -n "$2" ]
179			then
180				$DEBUG_OUT "$0: Need error string arg with 'tmpfile'!"
181				exit 1
182			else
183				ERROR=$2
184			fi
185			# Set message
186			MESSAGE="The audit daemon is unable to update /var/run, error=$ERROR.\n This implies a serious problem."
187
188			send_msg
189
190			break
191			;;
192
193	"nostart" )	# Check no start arg
194
195			# auditd attempts to set the audit state; if
196			# it fails, it exits with a "nostart" code.
197			# The most likely cause is that the kernel
198			# audit module did not load due to a
199			# configuration error.  auditd is not running.
200			#
201			# The audit daemon can not be started until
202			# the error is corrected and the system is
203			# rebooted.
204
205			MESSAGE="audit failed to start because it cannot read or\
206 write the system's audit state. This may be due to a configuration error.\n\n\
207Must reboot to start auditing!"
208
209			send_msg
210
211			break
212			;;
213
214	"auditoff" )	# Check audit off arg
215			# Someone besides the audit daemon called the
216			# system call auditon to "turn auditing off"
217			# by setting the state to AUC_NOAUDIT.  This
218			# will cause the audit daemon to exit.
219
220			# Set message
221			MESSAGE="Auditing has been turned off unexpectedly."
222			send_msg
223
224			break
225			;;
226
227	"postsigterm" )	# Check post sigterm arg
228			# While the audit daemon was trying to shutdown
229			# in an orderly fashion (corresponding to audit -t)
230			# it got another signal or an error.  Some records
231			# may not have been written.
232
233			# Set message
234			MESSAGE="Received some signal or error while writing\
235 audit records after SIGTERM.  Some audit records may have been lost."
236			send_msg
237
238			break
239			;;
240
241	"plugin" )	# Check plugin arg
242
243			# There is a problem loading a plugin or a plugin
244			# has reported a serious error.
245			# Output from the plugin is either blocked or halted.
246
247			if [ ! -n "$2" ]
248			then
249				$DEBUG_OUT "$0: Need plugin name arg with 'plugin'!"
250				exit 1
251			else
252				PLUGNAME=$2
253			fi
254
255			if [ ! -n "$3" ]
256			then
257				$DEBUG_OUT "$0: Need error arg with 'plugin'!"
258				exit 1
259			else
260				ERROR=$3
261			fi
262
263			if [ ! -n "$4" ]
264			then
265				$DEBUG_OUT "$0: Need text arg with 'plugin'!"
266				exit 1
267			else
268				TEXT=$4
269			fi
270
271			if [ ! -n "$5" ]
272			then
273				$DEBUG_OUT "$0: Need count arg with 'plugin'!"
274				exit 1
275			else
276				COUNT=$5
277				if [ $COUNT -eq 1 ]; then
278					S=""
279				else
280					S="s"
281				fi
282			fi
283
284			# Set message
285			MESSAGE="The audit daemon has experienced the\
286 following problem with loading or executing plugins:\n\n\
287$PLUGNAME: $ERROR\n\
288$TEXT\n\
289This message has been displayed $COUNT time$S."
290			send_msg
291			break
292			;;
293
294	* )		# Check other args
295			$DEBUG_OUT "$0: Arg not recognized: $1"
296			exit 1
297			;;
298
299	esac
300
301	shift
302done
303
304exit 0
305