1audit_warn(1M) System Administration Commands audit_warn(1M)
2
3
4
6 audit_warn - audit daemon warning script
7
9 /etc/security/audit_warn [option [arguments]]
10
11
13 The audit_warn utility processes warning or error messages from the
14 audit daemon. When a problem is encountered, the audit daemon,
15 auditd(1M) calls audit_warn with the appropriate arguments. The option
16 argument specifies the error type.
17
18
19 The system administrator can specify a list of mail recipients to be
20 notified when an audit_warn situation arises by defining a mail alias
21 called audit_warn in aliases(4). The users that make up the audit_warn
22 alias are typically the audit and root users.
23
25 The following options are supported:
26
27 allhard count
28
29 Indicates that the hard limit for all filesystems has been exceeded
30 count times. The default action for this option is to send mail to
31 the audit_warn alias only if the count is 1, and to write a message
32 to the machine console every time. It is recommended that mail not
33 be sent every time as this could result in a the saturation of the
34 file system that contains the mail spool directory.
35
36
37 allsoft
38
39 Indicates that the soft limit for all filesystems has been
40 exceeded. The default action for this option is to send mail to the
41 audit_warn alias and to write a message to the machine console.
42
43
44 auditoff
45
46 Indicates that someone other than the audit daemon changed the sys‐
47 tem audit state to something other than AUC_AUDITING. The audit
48 daemon will have exited in this case. The default action for this
49 option is to send mail to the audit_warn alias and to write a mes‐
50 sage to the machine console.
51
52
53 ebusy
54
55 Indicates that the audit daemon is already running. The default
56 action for this option is to send mail to the audit_warn alias and
57 to write a message to the machine console.
58
59
60 getacdir count
61
62 Indicates that there is a problem getting the directory list or
63 plugin list from audit_control(4). The audit daemon will hang in a
64 sleep loop until the file is fixed. The default action for this
65 option is to send mail to the audit_warn alias only if count is 1,
66 and to write a message to the machine console every time. It is
67 recommended that mail not be sent every time as this could result
68 in a the saturation of the file system that contains the mail spool
69 directory.
70
71
72 hard filename
73
74 Indicates that the hard limit for the file has been exceeded. The
75 default action for this option is to send mail to the audit_warn
76 alias and to write a message to the machine console.
77
78
79 nostart
80
81 Indicates that auditing could not be started. The default action
82 for this option is to send mail to the audit_warn alias and to
83 write a message to the machine console. Some administrators may
84 prefer to modify audit_warn to reboot the system when this error
85 occurs.
86
87
88 plugin name error count text
89
90 Indicates that an error occurred during execution of the auditd
91 plugin name. The default action for this option is to send mail to
92 the audit_warn alias only if count is 1, and to write a message to
93 the machine console every time. (Separate counts are kept for each
94 error type.) It is recommended that mail not be sent every time as
95 this could result in the saturation of the file system that con‐
96 tains the mail spool directory. The text field provides the
97 detailed error message passed from the plugin. The error field is
98 one of the following strings:
99
100 load_error Unable to load the plugin name.
101
102
103 sys_error The plugin name is not executing due to a system
104 error such as a lack of resources.
105
106
107 config_error No plugins loaded (including the binary file plug‐
108 in, audit_binfile(5)) due to configuration errors
109 in audit_control(4). The name string is -- to indi‐
110 cate that no plugin name applies.
111
112
113 retry The plugin name reports it has encountered a tempo‐
114 rary failure. For example, the audit_binfree.so
115 plugin uses retry to indicate that all directories
116 are full.
117
118
119 no_memory The plugin name reports a failure due to lack of
120 memory.
121
122
123 invalid The plugin name reports it received an invalid
124 input.
125
126
127 failure The plugin name has reported an error as described
128 in text.
129
130
131
132 postsigterm
133
134 Indicates that an error occurred during the orderly shutdown of the
135 audit daemon. The default action for this option is to send mail to
136 the audit_warn alias and to write a message to the machine console.
137
138
139 soft filename
140
141 Indicates that the soft limit for filename has been exceeded. The
142 default action for this option is to send mail to the audit_warn
143 alias and to write a message to the machine console.
144
145
146 tmpfile
147
148 Indicates that the temporary audit file already exists indicating a
149 fatal error. The default action for this option is to send mail to
150 the audit_warn alias and to write a message to the machine console.
151
152
154 See attributes(5) for descriptions of the following attributes:
155
156
157
158
159 ┌─────────────────────────────┬─────────────────────────────┐
160 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
161 ├─────────────────────────────┼─────────────────────────────┤
162 │Availability │SUNWcsr │
163 ├─────────────────────────────┼─────────────────────────────┤
164 │Interface Stability │Evolving │
165 └─────────────────────────────┴─────────────────────────────┘
166
167
168 The interface stability is evolving. The file content is unstable.
169
171 audit(1M), auditd(1M), bsmconv(1M), aliases(4), audit.log(4),
172 audit_control(4), attributes(5)
173
174
175 See the section on Solaris Auditing in System Administration Guide:
176 Security Services.
177
179 This functionality is available only if the Solaris Auditing feature
180 has been enabled. See bsmconv(1M) for more information.
181
182
183 If the audit policy perzone is set, the /etc/security/audit_warn script
184 for the local zone is used for notifications from the local zone's
185 instance of auditd. If the perzone policy is not set, all auditd errors
186 are generated by the global zone's copy of /etc/security/audit_warn.
187
188
189
190SunOS 5.11 16 Apr 2008 audit_warn(1M)