1/*- 2 * Copyright (c) 2005-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $ 30 */ 31 32#include <sys/types.h> 33 34#include <stdio.h> 35#include <stdlib.h> 36#include <unistd.h> 37 38#include "auditd.h" 39 40/* 41 * Write an audit-related error to the system log via syslog(3). 42 */ 43static int 44auditwarnlog(char *args[]) 45{ 46 char *loc_args[9]; 47 pid_t pid; 48 int i; 49 50 loc_args[0] = AUDITWARN_SCRIPT; 51 for (i = 0; args[i] != NULL && i < 8; i++) 52 loc_args[i+1] = args[i]; 53 loc_args[i+1] = NULL; 54 55 pid = fork(); 56 if (pid == -1) 57 return (-1); 58 if (pid == 0) { 59 /* 60 * Child. 61 */ 62 execv(AUDITWARN_SCRIPT, loc_args); 63 syslog(LOG_ERR, "Could not exec %s (%m)\n", 64 AUDITWARN_SCRIPT); 65 exit(1); 66 } 67 /* 68 * Parent. 69 */ 70 return (0); 71} 72 73/* 74 * Indicates that the hard limit for all filesystems has been exceeded. 75 */ 76int 77audit_warn_allhard(void) 78{ 79 char *args[2]; 80 81 args[0] = HARDLIM_ALL_WARN; 82 args[1] = NULL; 83 84 return (auditwarnlog(args)); 85} 86 87/* 88 * Indicates that the soft limit for all filesystems has been exceeded. 89 */ 90int 91audit_warn_allsoft(void) 92{ 93 char *args[2]; 94 95 args[0] = SOFTLIM_ALL_WARN; 96 args[1] = NULL; 97 98 return (auditwarnlog(args)); 99} 100 101/* 102 * Indicates that someone other than the audit daemon turned off auditing. 103 * XXX Its not clear at this point how this function will be invoked. 104 * 105 * XXXRW: This function is not used. 106 */ 107int 108audit_warn_auditoff(void) 109{ 110 char *args[2]; 111 112 args[0] = AUDITOFF_WARN; 113 args[1] = NULL; 114 115 return (auditwarnlog(args)); 116} 117 118/* 119 * Indicate that a trail file has been closed, so can now be post-processed. 120 */ 121int 122audit_warn_closefile(char *filename) 123{ 124 char *args[3]; 125 126 args[0] = CLOSEFILE_WARN; 127 args[1] = filename; 128 args[2] = NULL; 129 130 return (auditwarnlog(args)); 131} 132 133/* 134 * Indicates that the audit deammn is already running 135 */ 136int 137audit_warn_ebusy(void) 138{ 139 char *args[2]; 140 141 args[0] = EBUSY_WARN; 142 args[1] = NULL; 143 144 return (auditwarnlog(args)); 145} 146 147/* 148 * Indicates that there is a problem getting the directory from 149 * audit_control. 150 * 151 * XXX Note that we take the filename instead of a count as the argument here 152 * (different from BSM). 153 */ 154int 155audit_warn_getacdir(char *filename) 156{ 157 char *args[3]; 158 159 args[0] = GETACDIR_WARN; 160 args[1] = filename; 161 args[2] = NULL; 162 163 return (auditwarnlog(args)); 164} 165 166/* 167 * Indicates that the hard limit for this file has been exceeded. 168 */ 169int 170audit_warn_hard(char *filename) 171{ 172 char *args[3]; 173 174 args[0] = HARDLIM_WARN; 175 args[1] = filename; 176 args[2] = NULL; 177 178 return (auditwarnlog(args)); 179} 180 181/* 182 * Indicates that auditing could not be started. 183 */ 184int 185audit_warn_nostart(void) 186{ 187 char *args[2]; 188 189 args[0] = NOSTART_WARN; 190 args[1] = NULL; 191 192 return (auditwarnlog(args)); 193} 194 195/* 196 * Indicaes that an error occrred during the orderly shutdown of the audit 197 * daemon. 198 */ 199int 200audit_warn_postsigterm(void) 201{ 202 char *args[2]; 203 204 args[0] = POSTSIGTERM_WARN; 205 args[1] = NULL; 206 207 return (auditwarnlog(args)); 208} 209 210/* 211 * Indicates that the soft limit for this file has been exceeded. 212 */ 213int 214audit_warn_soft(char *filename) 215{ 216 char *args[3]; 217 218 args[0] = SOFTLIM_WARN; 219 args[1] = filename; 220 args[2] = NULL; 221 222 return (auditwarnlog(args)); 223} 224 225/* 226 * Indicates that the temporary audit file already exists indicating a fatal 227 * error. 228 */ 229int 230audit_warn_tmpfile(void) 231{ 232 char *args[2]; 233 234 args[0] = TMPFILE_WARN; 235 args[1] = NULL; 236 237 return (auditwarnlog(args)); 238} 239 240/* 241 * Indicates that this trail file has expired and was removed. 242 */ 243int 244audit_warn_expired(char *filename) 245{ 246 char *args[3]; 247 248 args[0] = EXPIRED_WARN; 249 args[1] = filename; 250 args[2] = NULL; 251 252 return (auditwarnlog(args)); 253} 254