audit_warn.c revision 156283
1/* 2 * Copyright (c) 2005 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * @APPLE_BSD_LICENSE_HEADER_START@ 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 17 * its contributors may be used to endorse or promote products derived 18 * from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 21 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 22 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 24 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 27 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 * 31 * @APPLE_BSD_LICENSE_HEADER_END@ 32 * 33 * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#6 $ 34 */ 35 36#include <sys/types.h> 37 38#include <stdio.h> 39#include <stdlib.h> 40#include <unistd.h> 41 42#include "auditd.h" 43 44/* 45 * Write an audit-related error to the system log via syslog(3). 46 */ 47static int 48auditwarnlog(char *args[]) 49{ 50 char *loc_args[9]; 51 pid_t pid; 52 int i; 53 54 loc_args[0] = AUDITWARN_SCRIPT; 55 for (i = 0; args[i] != NULL && i < 8; i++) 56 loc_args[i+1] = args[i]; 57 loc_args[i+1] = NULL; 58 59 pid = fork(); 60 if (pid == -1) 61 return (-1); 62 if (pid == 0) { 63 /* 64 * Child. 65 */ 66 execv(AUDITWARN_SCRIPT, loc_args); 67 syslog(LOG_ERR, "Could not exec %s (%m)\n", 68 AUDITWARN_SCRIPT); 69 exit(1); 70 } 71 /* 72 * Parent. 73 */ 74 return (0); 75} 76 77/* 78 * Indicates that the hard limit for all filesystems has been exceeded count 79 * times. 80 */ 81int 82audit_warn_allhard(int count) 83{ 84 char intstr[12]; 85 char *args[3]; 86 87 snprintf(intstr, 12, "%d", count); 88 89 args[0] = HARDLIM_ALL_WARN; 90 args[1] = intstr; 91 args[2] = NULL; 92 93 return (auditwarnlog(args)); 94} 95 96/* 97 * Indicates that the soft limit for all filesystems has been exceeded. 98 */ 99int 100audit_warn_allsoft(void) 101{ 102 char *args[2]; 103 104 args[0] = SOFTLIM_ALL_WARN; 105 args[1] = NULL; 106 107 return (auditwarnlog(args)); 108} 109 110/* 111 * Indicates that someone other than the audit daemon turned off auditing. 112 * XXX Its not clear at this point how this function will be invoked. 113 * 114 * XXXRW: This function is not used. 115 */ 116int 117audit_warn_auditoff(void) 118{ 119 char *args[2]; 120 121 args[0] = AUDITOFF_WARN; 122 args[1] = NULL; 123 124 return (auditwarnlog(args)); 125} 126 127/* 128 * Indicates that the audit deammn is already running 129 */ 130int 131audit_warn_ebusy(void) 132{ 133 char *args[2]; 134 135 args[0] = EBUSY_WARN; 136 args[1] = NULL; 137 138 return (auditwarnlog(args)); 139} 140 141/* 142 * Indicates that there is a problem getting the directory from 143 * audit_control. 144 * 145 * XXX Note that we take the filename instead of a count as the argument here 146 * (different from BSM). 147 */ 148int 149audit_warn_getacdir(char *filename) 150{ 151 char *args[3]; 152 153 args[0] = GETACDIR_WARN; 154 args[1] = filename; 155 args[2] = NULL; 156 157 return (auditwarnlog(args)); 158} 159 160/* 161 * Indicates that the hard limit for this file has been exceeded. 162 */ 163int 164audit_warn_hard(char *filename) 165{ 166 char *args[3]; 167 168 args[0] = HARDLIM_WARN; 169 args[1] = filename; 170 args[2] = NULL; 171 172 return (auditwarnlog(args)); 173} 174 175/* 176 * Indicates that auditing could not be started. 177 */ 178int 179audit_warn_nostart(void) 180{ 181 char *args[2]; 182 183 args[0] = NOSTART_WARN; 184 args[1] = NULL; 185 186 return (auditwarnlog(args)); 187} 188 189/* 190 * Indicaes that an error occrred during the orderly shutdown of the audit 191 * daemon. 192 */ 193int 194audit_warn_postsigterm(void) 195{ 196 char *args[2]; 197 198 args[0] = POSTSIGTERM_WARN; 199 args[1] = NULL; 200 201 return (auditwarnlog(args)); 202} 203 204/* 205 * Indicates that the soft limit for this file has been exceeded. 206 */ 207int 208audit_warn_soft(char *filename) 209{ 210 char *args[3]; 211 212 args[0] = SOFTLIM_WARN; 213 args[1] = filename; 214 args[2] = NULL; 215 216 return (auditwarnlog(args)); 217} 218 219/* 220 * Indicates that the temporary audit file already exists indicating a fatal 221 * error. 222 */ 223int 224audit_warn_tmpfile(void) 225{ 226 char *args[2]; 227 228 args[0] = TMPFILE_WARN; 229 args[1] = NULL; 230 231 return (auditwarnlog(args)); 232} 233