1audit_warn(1M)          System Administration Commands          audit_warn(1M)
2
3
4

NAME

6       audit_warn - audit daemon warning script
7

SYNOPSIS

9       /etc/security/audit_warn [option [arguments]]
10
11

DESCRIPTION

13       The  audit_warn  utility  processes  warning or error messages from the
14       audit  daemon.  When  a  problem  is  encountered,  the  audit  daemon,
15       auditd(1M)  calls audit_warn with the appropriate arguments. The option
16       argument specifies the error type.
17
18
19       The system administrator can specify a list of mail  recipients  to  be
20       notified  when  an audit_warn situation arises by defining a mail alias
21       called audit_warn in aliases(4). The users that make up the  audit_warn
22       alias are typically the audit and root users.
23

OPTIONS

25       The following options are supported:
26
27       allhard count
28
29           Indicates that the hard limit for all filesystems has been exceeded
30           count times. The default action for this option is to send mail  to
31           the audit_warn alias only if the count is 1, and to write a message
32           to the machine console every time. It is recommended that mail  not
33           be  sent every time as this could result in a the saturation of the
34           file system that contains the mail spool directory.
35
36
37       allsoft
38
39           Indicates  that  the  soft  limit  for  all  filesystems  has  been
40           exceeded. The default action for this option is to send mail to the
41           audit_warn alias and to write a message to the machine console.
42
43
44       auditoff
45
46           Indicates that someone other than the audit daemon changed the sys‐
47           tem  audit  state  to something other than AUC_AUDITING.  The audit
48           daemon will have exited in this case. The default action  for  this
49           option  is to send mail to the audit_warn alias and to write a mes‐
50           sage to the machine console.
51
52
53       ebusy
54
55           Indicates that the audit daemon is  already  running.  The  default
56           action  for this option is to send mail to the audit_warn alias and
57           to write a message to the machine console.
58
59
60       getacdir count
61
62           Indicates that there is a problem getting  the  directory  list  or
63           plugin  list from audit_control(4). The audit daemon will hang in a
64           sleep loop until the file is fixed. The  default  action  for  this
65           option  is to send mail to the audit_warn alias only if count is 1,
66           and to write a message to the machine console  every  time.  It  is
67           recommended  that  mail not be sent every time as this could result
68           in a the saturation of the file system that contains the mail spool
69           directory.
70
71
72       hard filename
73
74           Indicates  that  the hard limit for the file has been exceeded. The
75           default action for this option is to send mail  to  the  audit_warn
76           alias and to write a message to the machine console.
77
78
79       nostart
80
81           Indicates  that  auditing  could not be started. The default action
82           for this option is to send mail to  the  audit_warn  alias  and  to
83           write  a  message  to  the machine console. Some administrators may
84           prefer to modify audit_warn to reboot the system  when  this  error
85           occurs.
86
87
88       plugin name error count text
89
90           Indicates  that  an  error  occurred during execution of the auditd
91           plugin name. The default action for this option is to send mail  to
92           the  audit_warn alias only if count is 1, and to write a message to
93           the machine console every time. (Separate counts are kept for  each
94           error  type.) It is recommended that mail not be sent every time as
95           this could result in the saturation of the file  system  that  con‐
96           tains  the  mail  spool  directory.  The  text  field  provides the
97           detailed error message passed from the plugin. The error  field  is
98           one of the following strings:
99
100           load_error      Unable to load the plugin name.
101
102
103           sys_error       The  plugin  name  is not executing due to a system
104                           error such as a lack of resources.
105
106
107           config_error    No plugins loaded (including the binary file  plug‐
108                           in,  audit_binfile(5))  due to configuration errors
109                           in audit_control(4). The name string is -- to indi‐
110                           cate that no plugin name applies.
111
112
113           retry           The plugin name reports it has encountered a tempo‐
114                           rary failure.  For  example,  the  audit_binfree.so
115                           plugin  uses retry to indicate that all directories
116                           are full.
117
118
119           no_memory       The plugin name reports a failure due  to  lack  of
120                           memory.
121
122
123           invalid         The  plugin  name  reports  it  received an invalid
124                           input.
125
126
127           failure         The plugin name has reported an error as  described
128                           in text.
129
130
131
132       postsigterm
133
134           Indicates that an error occurred during the orderly shutdown of the
135           audit daemon. The default action for this option is to send mail to
136           the audit_warn alias and to write a message to the machine console.
137
138
139       soft filename
140
141           Indicates  that  the soft limit for filename has been exceeded. The
142           default action for this option is to send mail  to  the  audit_warn
143           alias and to write a message to the machine console.
144
145
146       tmpfile
147
148           Indicates that the temporary audit file already exists indicating a
149           fatal error. The default action for this option is to send mail  to
150           the audit_warn alias and to write a message to the machine console.
151
152

ATTRIBUTES

154       See attributes(5) for descriptions of the following attributes:
155
156
157
158
159       ┌─────────────────────────────┬─────────────────────────────┐
160       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
161       ├─────────────────────────────┼─────────────────────────────┤
162       │Availability                 │SUNWcsr                      │
163       ├─────────────────────────────┼─────────────────────────────┤
164       │Interface Stability          │Evolving                     │
165       └─────────────────────────────┴─────────────────────────────┘
166
167
168       The interface stability is evolving. The file content is unstable.
169

SEE ALSO

171       audit(1M),    auditd(1M),    bsmconv(1M),   aliases(4),   audit.log(4),
172       audit_control(4), attributes(5)
173
174
175       See the section on Solaris Auditing  in  System  Administration  Guide:
176       Security Services.
177

NOTES

179       This  functionality  is  available only if the Solaris Auditing feature
180       has been enabled. See bsmconv(1M) for more information.
181
182
183       If the audit policy perzone is set, the /etc/security/audit_warn script
184       for  the  local  zone  is  used for notifications from the local zone's
185       instance of auditd. If the perzone policy is not set, all auditd errors
186       are generated by the global zone's copy of /etc/security/audit_warn.
187
188
189
190SunOS 5.11                        16 Apr 2008                   audit_warn(1M)
Impressum