1185573Srwatson/*- 2189279Srwatson * Copyright (c) 2005-2009 Apple Inc. 3155131Srwatson * All rights reserved. 4155131Srwatson * 5155131Srwatson * Redistribution and use in source and binary forms, with or without 6155131Srwatson * modification, are permitted provided that the following conditions 7155131Srwatson * are met: 8155131Srwatson * 9155131Srwatson * 1. Redistributions of source code must retain the above copyright 10155131Srwatson * notice, this list of conditions and the following disclaimer. 11155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 12155131Srwatson * notice, this list of conditions and the following disclaimer in the 13155131Srwatson * documentation and/or other materials provided with the distribution. 14185573Srwatson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15155131Srwatson * its contributors may be used to endorse or promote products derived 16155131Srwatson * from this software without specific prior written permission. 17155131Srwatson * 18155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19155131Srwatson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20155131Srwatson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21155131Srwatson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22155131Srwatson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23155131Srwatson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24155131Srwatson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25155131Srwatson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26155131Srwatson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27155131Srwatson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28155131Srwatson * 29189279Srwatson * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#11 $ 30155131Srwatson */ 31155131Srwatson 32155131Srwatson#include <sys/types.h> 33156283Srwatson 34156283Srwatson#include <stdio.h> 35156283Srwatson#include <stdlib.h> 36155131Srwatson#include <unistd.h> 37155131Srwatson 38155131Srwatson#include "auditd.h" 39155131Srwatson 40155131Srwatson/* 41155131Srwatson * Write an audit-related error to the system log via syslog(3). 42155131Srwatson */ 43155131Srwatsonstatic int 44155131Srwatsonauditwarnlog(char *args[]) 45155131Srwatson{ 46155131Srwatson char *loc_args[9]; 47155131Srwatson pid_t pid; 48155131Srwatson int i; 49155131Srwatson 50155131Srwatson loc_args[0] = AUDITWARN_SCRIPT; 51155131Srwatson for (i = 0; args[i] != NULL && i < 8; i++) 52155131Srwatson loc_args[i+1] = args[i]; 53155131Srwatson loc_args[i+1] = NULL; 54155131Srwatson 55155131Srwatson pid = fork(); 56155131Srwatson if (pid == -1) 57155131Srwatson return (-1); 58155131Srwatson if (pid == 0) { 59155131Srwatson /* 60155131Srwatson * Child. 61155131Srwatson */ 62155131Srwatson execv(AUDITWARN_SCRIPT, loc_args); 63155131Srwatson syslog(LOG_ERR, "Could not exec %s (%m)\n", 64155131Srwatson AUDITWARN_SCRIPT); 65155131Srwatson exit(1); 66155131Srwatson } 67155131Srwatson /* 68155131Srwatson * Parent. 69155131Srwatson */ 70155131Srwatson return (0); 71155131Srwatson} 72155131Srwatson 73155131Srwatson/* 74186647Srwatson * Indicates that the hard limit for all filesystems has been exceeded. 75155131Srwatson */ 76155131Srwatsonint 77186647Srwatsonaudit_warn_allhard(void) 78155131Srwatson{ 79186647Srwatson char *args[2]; 80155131Srwatson 81155131Srwatson args[0] = HARDLIM_ALL_WARN; 82186647Srwatson args[1] = NULL; 83155131Srwatson 84155131Srwatson return (auditwarnlog(args)); 85155131Srwatson} 86155131Srwatson 87155131Srwatson/* 88155131Srwatson * Indicates that the soft limit for all filesystems has been exceeded. 89155131Srwatson */ 90155131Srwatsonint 91155131Srwatsonaudit_warn_allsoft(void) 92155131Srwatson{ 93155131Srwatson char *args[2]; 94155131Srwatson 95155131Srwatson args[0] = SOFTLIM_ALL_WARN; 96155131Srwatson args[1] = NULL; 97155131Srwatson 98155131Srwatson return (auditwarnlog(args)); 99155131Srwatson} 100155131Srwatson 101155131Srwatson/* 102155131Srwatson * Indicates that someone other than the audit daemon turned off auditing. 103155131Srwatson * XXX Its not clear at this point how this function will be invoked. 104155131Srwatson * 105155131Srwatson * XXXRW: This function is not used. 106155131Srwatson */ 107155131Srwatsonint 108155131Srwatsonaudit_warn_auditoff(void) 109155131Srwatson{ 110155131Srwatson char *args[2]; 111155131Srwatson 112155131Srwatson args[0] = AUDITOFF_WARN; 113155131Srwatson args[1] = NULL; 114155131Srwatson 115155131Srwatson return (auditwarnlog(args)); 116155131Srwatson} 117155131Srwatson 118155131Srwatson/* 119162621Srwatson * Indicate that a trail file has been closed, so can now be post-processed. 120162621Srwatson */ 121162621Srwatsonint 122162621Srwatsonaudit_warn_closefile(char *filename) 123162621Srwatson{ 124162621Srwatson char *args[3]; 125162621Srwatson 126162621Srwatson args[0] = CLOSEFILE_WARN; 127162621Srwatson args[1] = filename; 128162621Srwatson args[2] = NULL; 129162621Srwatson 130162621Srwatson return (auditwarnlog(args)); 131162621Srwatson} 132162621Srwatson 133162621Srwatson/* 134155131Srwatson * Indicates that the audit deammn is already running 135155131Srwatson */ 136155131Srwatsonint 137155131Srwatsonaudit_warn_ebusy(void) 138155131Srwatson{ 139155131Srwatson char *args[2]; 140155131Srwatson 141155131Srwatson args[0] = EBUSY_WARN; 142155131Srwatson args[1] = NULL; 143155131Srwatson 144155131Srwatson return (auditwarnlog(args)); 145155131Srwatson} 146155131Srwatson 147155131Srwatson/* 148155131Srwatson * Indicates that there is a problem getting the directory from 149155131Srwatson * audit_control. 150155131Srwatson * 151155131Srwatson * XXX Note that we take the filename instead of a count as the argument here 152155131Srwatson * (different from BSM). 153155131Srwatson */ 154155131Srwatsonint 155155131Srwatsonaudit_warn_getacdir(char *filename) 156155131Srwatson{ 157155131Srwatson char *args[3]; 158155131Srwatson 159155131Srwatson args[0] = GETACDIR_WARN; 160155131Srwatson args[1] = filename; 161155131Srwatson args[2] = NULL; 162155131Srwatson 163155131Srwatson return (auditwarnlog(args)); 164155131Srwatson} 165155131Srwatson 166155131Srwatson/* 167155131Srwatson * Indicates that the hard limit for this file has been exceeded. 168155131Srwatson */ 169155131Srwatsonint 170155131Srwatsonaudit_warn_hard(char *filename) 171155131Srwatson{ 172155131Srwatson char *args[3]; 173155131Srwatson 174155131Srwatson args[0] = HARDLIM_WARN; 175155131Srwatson args[1] = filename; 176155131Srwatson args[2] = NULL; 177155131Srwatson 178155131Srwatson return (auditwarnlog(args)); 179155131Srwatson} 180155131Srwatson 181155131Srwatson/* 182155131Srwatson * Indicates that auditing could not be started. 183155131Srwatson */ 184155131Srwatsonint 185155131Srwatsonaudit_warn_nostart(void) 186155131Srwatson{ 187155131Srwatson char *args[2]; 188155131Srwatson 189155131Srwatson args[0] = NOSTART_WARN; 190155131Srwatson args[1] = NULL; 191155131Srwatson 192155131Srwatson return (auditwarnlog(args)); 193155131Srwatson} 194155131Srwatson 195155131Srwatson/* 196155131Srwatson * Indicaes that an error occrred during the orderly shutdown of the audit 197155131Srwatson * daemon. 198155131Srwatson */ 199155131Srwatsonint 200155131Srwatsonaudit_warn_postsigterm(void) 201155131Srwatson{ 202155131Srwatson char *args[2]; 203155131Srwatson 204155131Srwatson args[0] = POSTSIGTERM_WARN; 205155131Srwatson args[1] = NULL; 206155131Srwatson 207155131Srwatson return (auditwarnlog(args)); 208155131Srwatson} 209155131Srwatson 210155131Srwatson/* 211155131Srwatson * Indicates that the soft limit for this file has been exceeded. 212155131Srwatson */ 213155131Srwatsonint 214155131Srwatsonaudit_warn_soft(char *filename) 215155131Srwatson{ 216155131Srwatson char *args[3]; 217155131Srwatson 218155131Srwatson args[0] = SOFTLIM_WARN; 219155131Srwatson args[1] = filename; 220155131Srwatson args[2] = NULL; 221155131Srwatson 222155131Srwatson return (auditwarnlog(args)); 223155131Srwatson} 224155131Srwatson 225155131Srwatson/* 226155131Srwatson * Indicates that the temporary audit file already exists indicating a fatal 227155131Srwatson * error. 228155131Srwatson */ 229155131Srwatsonint 230155131Srwatsonaudit_warn_tmpfile(void) 231155131Srwatson{ 232155131Srwatson char *args[2]; 233155131Srwatson 234155131Srwatson args[0] = TMPFILE_WARN; 235155131Srwatson args[1] = NULL; 236155131Srwatson 237155131Srwatson return (auditwarnlog(args)); 238155131Srwatson} 239189279Srwatson 240189279Srwatson/* 241189279Srwatson * Indicates that this trail file has expired and was removed. 242189279Srwatson */ 243189279Srwatsonint 244189279Srwatsonaudit_warn_expired(char *filename) 245189279Srwatson{ 246189279Srwatson char *args[3]; 247189279Srwatson 248189279Srwatson args[0] = EXPIRED_WARN; 249189279Srwatson args[1] = filename; 250189279Srwatson args[2] = NULL; 251189279Srwatson 252189279Srwatson return (auditwarnlog(args)); 253189279Srwatson} 254