System Administration Commands auditwarn(1M)
NAME
auditwarn - audit daemon warning script
SYNOPSIS
/etc/security/auditwarn [option [arguments]
DESCRIPTION
The auditwarn utility processes warning or error messages
from the audit daemon. When a problem is encountered, the
audit daemon, auditd(1M) calls auditwarn with the appropri-
ate arguments. The option argument specifies the error type.
The system administrator can specify a list of mail reci-
pients to be notified when an auditwarn situation arises by
defining a mail alias called auditwarn in aliases(4). The
users that make up the auditwarn alias are typically the
audit and root users.
OPTIONS
The following options are supported:
allhard count
Indicates that the hard limit for all filesystems has
been exceeded count times. The default action for this
option is to send mail to the auditwarn alias only if
the count is 1, and to write a message to the machine
console every time. It is recommended that mail not be
sent every time as this could result in a the saturation
of the file system that contains the mail spool direc-
tory.
allsoft
Indicates that the soft limit for all filesystems has
been exceeded. The default action for this option is to
send mail to the auditwarn alias and to write a message
to the machine console.
auditoff
Indicates that someone other than the audit daemon
changed the system audit state to something other than
AUCAUDITING. The audit daemon will have exited in this
case. The default action for this option is to send mail
to the auditwarn alias and to write a message to the
machine console.
SunOS 5.11 Last change: 16 Apr 2008 1
System Administration Commands auditwarn(1M)
ebusy
Indicates that the audit daemon is already running. The
default action for this option is to send mail to the
auditwarn alias and to write a message to the machine
console.
getacdir count
Indicates that there is a problem getting the directory
list or plugin list from auditcontrol(4). The audit
daemon will hang in a sleep loop until the file is
fixed. The default action for this option is to send
mail to the auditwarn alias only if count is 1, and to
write a message to the machine console every time. It is
recommended that mail not be sent every time as this
could result in a the saturation of the file system that
contains the mail spool directory.
hard filename
Indicates that the hard limit for the file has been
exceeded. The default action for this option is to send
mail to the auditwarn alias and to write a message to
the machine console.
nostart
Indicates that auditing could not be started. The
default action for this option is to send mail to the
auditwarn alias and to write a message to the machine
console. Some administrators may prefer to modify
auditwarn to reboot the system when this error occurs.
plugin name error count text
Indicates that an error occurred during execution of the
auditd plugin name. The default action for this option
is to send mail to the auditwarn alias only if count is
1, and to write a message to the machine console every
time. (Separate counts are kept for each error type.) It
is recommended that mail not be sent every time as this
could result in the saturation of the file system that
contains the mail spool directory. The text field pro-
vides the detailed error message passed from the plugin.
The error field is one of the following strings:
SunOS 5.11 Last change: 16 Apr 2008 2
System Administration Commands auditwarn(1M)
loaderror Unable to load the plugin name.
syserror The plugin name is not executing due to
a system error such as a lack of
resources.
configerror No plugins loaded (including the binary
file plugin, auditbinfile(5)) due to
configuration errors in
auditcontrol(4). The name string is --
to indicate that no plugin name applies.
retry The plugin name reports it has encoun-
tered a temporary failure. For example,
the auditbinfree.so plugin uses retry
to indicate that all directories are
full.
nomemory The plugin name reports a failure due to
lack of memory.
invalid The plugin name reports it received an
invalid input.
failure The plugin name has reported an error as
described in text.
postsigterm
Indicates that an error occurred during the orderly
shutdown of the audit daemon. The default action for
this option is to send mail to the auditwarn alias and
to write a message to the machine console.
soft filename
Indicates that the soft limit for filename has been
exceeded. The default action for this option is to send
mail to the auditwarn alias and to write a message to
the machine console.
SunOS 5.11 Last change: 16 Apr 2008 3
System Administration Commands auditwarn(1M)
tmpfile
Indicates that the temporary audit file already exists
indicating a fatal error. The default action for this
option is to send mail to the auditwarn alias and to
write a message to the machine console.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsr
Interface Stability Evolving
The interface stability is evolving. The file content is
unstable.
SEE ALSO
audit(1M), auditd(1M), bsmconv(1M), aliases(4),
audit.log(4), auditcontrol(4), attributes(5)
See the section on Solaris Auditing in System Administration
Guide: Security Services.
NOTES
This functionality is available only if the Solaris Auditing
feature has been enabled. See bsmconv(1M) for more informa-
tion.
If the audit policy perzone is set, the
/etc/security/auditwarn script for the local zone is used
for notifications from the local zone's instance of auditd.
If the perzone policy is not set, all auditd errors are gen-
erated by the global zone's copy of
/etc/security/auditwarn.
SunOS 5.11 Last change: 16 Apr 2008 4
|
