1/*- 2 * Copyright (c) 2005-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/types.h> 31 32#include <stdio.h> 33#include <stdlib.h> 34#include <unistd.h> 35 36#include "auditd.h" 37 38/* 39 * Write an audit-related error to the system log via syslog(3). 40 */ 41static int 42auditwarnlog(char *args[]) 43{ 44 char *loc_args[9]; 45 pid_t pid; 46 int i; 47 48 loc_args[0] = AUDITWARN_SCRIPT; 49 for (i = 0; args[i] != NULL && i < 8; i++) 50 loc_args[i+1] = args[i]; 51 loc_args[i+1] = NULL; 52 53 pid = fork(); 54 if (pid == -1) 55 return (-1); 56 if (pid == 0) { 57 /* 58 * Child. 59 */ 60 execv(AUDITWARN_SCRIPT, loc_args); 61 syslog(LOG_ERR, "Could not exec %s (%m)\n", 62 AUDITWARN_SCRIPT); 63 exit(1); 64 } 65 /* 66 * Parent. 67 */ 68 return (0); 69} 70 71/* 72 * Indicates that the hard limit for all filesystems has been exceeded. 73 */ 74int 75audit_warn_allhard(void) 76{ 77 char *args[2]; 78 79 args[0] = HARDLIM_ALL_WARN; 80 args[1] = NULL; 81 82 return (auditwarnlog(args)); 83} 84 85/* 86 * Indicates that the soft limit for all filesystems has been exceeded. 87 */ 88int 89audit_warn_allsoft(void) 90{ 91 char *args[2]; 92 93 args[0] = SOFTLIM_ALL_WARN; 94 args[1] = NULL; 95 96 return (auditwarnlog(args)); 97} 98 99/* 100 * Indicates that someone other than the audit daemon turned off auditing. 101 * XXX Its not clear at this point how this function will be invoked. 102 * 103 * XXXRW: This function is not used. 104 */ 105int 106audit_warn_auditoff(void) 107{ 108 char *args[2]; 109 110 args[0] = AUDITOFF_WARN; 111 args[1] = NULL; 112 113 return (auditwarnlog(args)); 114} 115 116/* 117 * Indicate that a trail file has been closed, so can now be post-processed. 118 */ 119int 120audit_warn_closefile(char *filename) 121{ 122 char *args[3]; 123 124 args[0] = CLOSEFILE_WARN; 125 args[1] = filename; 126 args[2] = NULL; 127 128 return (auditwarnlog(args)); 129} 130 131/* 132 * Indicates that the audit deammn is already running 133 */ 134int 135audit_warn_ebusy(void) 136{ 137 char *args[2]; 138 139 args[0] = EBUSY_WARN; 140 args[1] = NULL; 141 142 return (auditwarnlog(args)); 143} 144 145/* 146 * Indicates that there is a problem getting the directory from 147 * audit_control. 148 * 149 * XXX Note that we take the filename instead of a count as the argument here 150 * (different from BSM). 151 */ 152int 153audit_warn_getacdir(char *filename) 154{ 155 char *args[3]; 156 157 args[0] = GETACDIR_WARN; 158 args[1] = filename; 159 args[2] = NULL; 160 161 return (auditwarnlog(args)); 162} 163 164/* 165 * Indicates that the hard limit for this file has been exceeded. 166 */ 167int 168audit_warn_hard(char *filename) 169{ 170 char *args[3]; 171 172 args[0] = HARDLIM_WARN; 173 args[1] = filename; 174 args[2] = NULL; 175 176 return (auditwarnlog(args)); 177} 178 179/* 180 * Indicates that auditing could not be started. 181 */ 182int 183audit_warn_nostart(void) 184{ 185 char *args[2]; 186 187 args[0] = NOSTART_WARN; 188 args[1] = NULL; 189 190 return (auditwarnlog(args)); 191} 192 193/* 194 * Indicaes that an error occrred during the orderly shutdown of the audit 195 * daemon. 196 */ 197int 198audit_warn_postsigterm(void) 199{ 200 char *args[2]; 201 202 args[0] = POSTSIGTERM_WARN; 203 args[1] = NULL; 204 205 return (auditwarnlog(args)); 206} 207 208/* 209 * Indicates that the soft limit for this file has been exceeded. 210 */ 211int 212audit_warn_soft(char *filename) 213{ 214 char *args[3]; 215 216 args[0] = SOFTLIM_WARN; 217 args[1] = filename; 218 args[2] = NULL; 219 220 return (auditwarnlog(args)); 221} 222 223/* 224 * Indicates that the temporary audit file already exists indicating a fatal 225 * error. 226 */ 227int 228audit_warn_tmpfile(void) 229{ 230 char *args[2]; 231 232 args[0] = TMPFILE_WARN; 233 args[1] = NULL; 234 235 return (auditwarnlog(args)); 236} 237 238/* 239 * Indicates that this trail file has expired and was removed. 240 */ 241int 242audit_warn_expired(char *filename) 243{ 244 char *args[3]; 245 246 args[0] = EXPIRED_WARN; 247 args[1] = filename; 248 args[2] = NULL; 249 250 return (auditwarnlog(args)); 251} 252