System Administration Commands audit_warn(1M)
NAME
audit_warn - audit daemon warning script
SYNOPSIS
/etc/security/audit_warn [option [arguments]]
DESCRIPTION
The audit_warn utility processes warning or error messages
from the audit daemon. When a problem is encountered, theaudit daemon, auditd(1M) calls audit_warn with the appropri-
ate arguments. The option argument specifies the error type.The system administrator can specify a list of mail reci-
pients to be notified when an audit_warn situation arises by
defining a mail alias called audit_warn in aliases(4). The
users that make up the audit_warn alias are typically the
audit and root users. OPTIONS The following options are supported: allhard count Indicates that the hard limit for all filesystems has been exceeded count times. The default action for thisoption is to send mail to the audit_warn alias only if
the count is 1, and to write a message to the machine console every time. It is recommended that mail not be sent every time as this could result in a the saturationof the file system that contains the mail spool direc-
tory. allsoft Indicates that the soft limit for all filesystems has been exceeded. The default action for this option is tosend mail to the audit_warn alias and to write a message
to the machine console. auditoff Indicates that someone other than the audit daemon changed the system audit state to something other thanAUC_AUDITING. The audit daemon will have exited in this
case. The default action for this option is to send mailto the audit_warn alias and to write a message to the
machine console.SunOS 5.11 Last change: 27 Jul 2010 1
System Administration Commands audit_warn(1M)
ebusy Indicates that the audit daemon is already running. The default action for this option is to send mail to theaudit_warn alias and to write a message to the machine
console. hard filename Indicates that the hard limit for the file has been exceeded. The default action for this option is to sendmail to the audit_warn alias and to write a message to
the machine console. nostart Indicates that auditing could not be started. The default action for this option is to send mail to theaudit_warn alias and to write a message to the machine
console. Some administrators may prefer to modifyaudit_warn to reboot the system when this error occurs.
plugin name error count text Indicates that an error occurred during execution of the auditd plugin name. The default action for this optionis to send mail to the audit_warn alias only if count is
1, and to write a message to the machine console every time. (Separate counts are kept for each error type.) It is recommended that mail not be sent every time as this could result in the saturation of the file system thatcontains the mail spool directory. The text field pro-
vides the detailed error message passed from the plug-
in. The error field is one of the following strings:load_error Unable to load the plugin name.
sys_error The plugin name is not executing due to
a system error such as a lack of resources.config_error No plug-ins loaded (including the binary
file plug-in, audit_binfile(5)) due to
configuration errors (see the -setplugin
option of the auditconfig(1M) command).The name string is -- , to indicate that
no plug-in name applies.
SunOS 5.11 Last change: 27 Jul 2010 2
System Administration Commands audit_warn(1M)
retry The plugin name reports it has encoun-
tered a temporary failure. For example,the audit_binfree.so plugin uses retry
to indicate that all directories are full.no_memory The plugin name reports a failure due to
lack of memory. invalid The plugin name reports it received an invalid input. failure The plugin name has reported an error as described in text. postsigterm Indicates that an error occurred during the orderly shutdown of the audit daemon. The default action forthis option is to send mail to the audit_warn alias and
to write a message to the machine console. soft filename Indicates that the soft limit for filename has been exceeded. The default action for this option is to sendmail to the audit_warn alias and to write a message to
the machine console. tmpfile Indicates that the temporary audit file already exists indicating a fatal error. The default action for thisoption is to send mail to the audit_warn alias and to
write a message to the machine console.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:SunOS 5.11 Last change: 27 Jul 2010 3
System Administration Commands audit_warn(1M)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
The interface stability is evolving. The file content is unstable.SEE ALSO
audit(1M), auditconfig(1M), auditd(1M), aliases(4), audit.log(4), attributes(5) See the section on Solaris Auditing in System Administration Guide: Security Services. NOTES This functionality is available only if the Solaris Auditing feature has been enabled. If the audit policy perzone is set, the/etc/security/audit_warn script for the local zone is used
for notifications from the local zone's instance of auditd.If the perzone policy is not set, all auditd errors are gen-
erated by the global zone's copy of/etc/security/audit_warn.
SunOS 5.11 Last change: 27 Jul 2010 4