audit_warn(1M) System Administration Commands audit_warn(1M)NAMEaudit_warn - audit daemon warning script
SYNOPSIS
/etc/security/audit_warn [option [arguments]]
DESCRIPTION
The audit_warn utility processes warning or error messages from the
audit daemon. When a problem is encountered, the audit daemon,
auditd(1M) calls audit_warn with the appropriate arguments. The option
argument specifies the error type.
The system administrator can specify a list of mail recipients to be
notified when an audit_warn situation arises by defining a mail alias
called audit_warn in aliases(4). The users that make up the audit_warn
alias are typically the audit and root users.
OPTIONS
The following options are supported:
allhard count
Indicates that the hard limit for all filesystems has been exceeded
count times. The default action for this option is to send mail to
the audit_warn alias only if the count is 1, and to write a message
to the machine console every time. It is recommended that mail not
be sent every time as this could result in a the saturation of the
file system that contains the mail spool directory.
allsoft
Indicates that the soft limit for all filesystems has been
exceeded. The default action for this option is to send mail to the
audit_warn alias and to write a message to the machine console.
auditoff
Indicates that someone other than the audit daemon changed the sys‐
tem audit state to something other than AUC_AUDITING. The audit
daemon will have exited in this case. The default action for this
option is to send mail to the audit_warn alias and to write a mes‐
sage to the machine console.
ebusy
Indicates that the audit daemon is already running. The default
action for this option is to send mail to the audit_warn alias and
to write a message to the machine console.
getacdir count
Indicates that there is a problem getting the directory list or
plugin list from audit_control(4). The audit daemon will hang in a
sleep loop until the file is fixed. The default action for this
option is to send mail to the audit_warn alias only if count is 1,
and to write a message to the machine console every time. It is
recommended that mail not be sent every time as this could result
in a the saturation of the file system that contains the mail spool
directory.
hard filename
Indicates that the hard limit for the file has been exceeded. The
default action for this option is to send mail to the audit_warn
alias and to write a message to the machine console.
nostart
Indicates that auditing could not be started. The default action
for this option is to send mail to the audit_warn alias and to
write a message to the machine console. Some administrators may
prefer to modify audit_warn to reboot the system when this error
occurs.
plugin name error count text
Indicates that an error occurred during execution of the auditd
plugin name. The default action for this option is to send mail to
the audit_warn alias only if count is 1, and to write a message to
the machine console every time. (Separate counts are kept for each
error type.) It is recommended that mail not be sent every time as
this could result in the saturation of the file system that con‐
tains the mail spool directory. The text field provides the
detailed error message passed from the plugin. The error field is
one of the following strings:
load_error Unable to load the plugin name.
sys_error The plugin name is not executing due to a system
error such as a lack of resources.
config_error No plugins loaded (including the binary file plug‐
in, audit_binfile(5)) due to configuration errors
in audit_control(4). The name string is -- to indi‐
cate that no plugin name applies.
retry The plugin name reports it has encountered a tempo‐
rary failure. For example, the audit_binfree.so
plugin uses retry to indicate that all directories
are full.
no_memory The plugin name reports a failure due to lack of
memory.
invalid The plugin name reports it received an invalid
input.
failure The plugin name has reported an error as described
in text.
postsigterm
Indicates that an error occurred during the orderly shutdown of the
audit daemon. The default action for this option is to send mail to
the audit_warn alias and to write a message to the machine console.
soft filename
Indicates that the soft limit for filename has been exceeded. The
default action for this option is to send mail to the audit_warn
alias and to write a message to the machine console.
tmpfile
Indicates that the temporary audit file already exists indicating a
fatal error. The default action for this option is to send mail to
the audit_warn alias and to write a message to the machine console.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcs │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Committed │
└─────────────────────────────┴─────────────────────────────┘
The interface stability is evolving. The file content is unstable.
SEE ALSOaudit(1M), auditd(1M), bsmconv(1M), aliases(4), audit.log(4),
audit_control(4), attributes(5)
See the section on Solaris Auditing in System Administration Guide:
Security Services.
NOTES
This functionality is available only if the Solaris Auditing feature
has been enabled. See bsmconv(1M) for more information.
If the audit policy perzone is set, the /etc/security/audit_warn script
for the local zone is used for notifications from the local zone's
instance of auditd. If the perzone policy is not set, all auditd errors
are generated by the global zone's copy of /etc/security/audit_warn.
SunOS 5.11 16 Apr 2008 audit_warn(1M)